Analysis
-
max time kernel
299s -
max time network
288s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
TRISHA+ORGANIZER.zip
Resource
win10v2004-20240802-en
General
-
Target
TRISHA+ORGANIZER.zip
-
Size
65.7MB
-
MD5
96ed480f56cdb3acd81ab8b838f08608
-
SHA1
3055effdddeed07769fb278f55b234cc5ea6ac0e
-
SHA256
33fb8b0d61a1c2a7226ab510525cd928194bfc3a7903e381bfa19510a7396578
-
SHA512
0179121ac8dfd61c50c9ddb91f7df8b29e913d70ccdbdb01ce5b8670f1ea28d50c1debec897cb3efa60009a310857eb4ac2df482af3c6643de39b965a52f6aee
-
SSDEEP
1572864:/aSHlwFRflVhjNR/D3kQGA/SHsEO5Z8jUsk6qlvvoePof:/aU6l/hR/D3kbMEMusNwUk
Malware Config
Extracted
remcos
RemoteHost
privmerkt.com:8922
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LAI9XP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3640 2023 TRISHA ORGANIZERpdf.exe 832 2023 TRISHA ORGANIZERpdf.exe -
Loads dropped DLL 1 IoCs
pid Process 3640 2023 TRISHA ORGANIZERpdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint" reg.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2023 TRISHA ORGANIZERpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2023 TRISHA ORGANIZERpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2872 7zG.exe Token: 35 2872 7zG.exe Token: SeSecurityPrivilege 2872 7zG.exe Token: SeSecurityPrivilege 2872 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2872 7zG.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3640 wrote to memory of 832 3640 2023 TRISHA ORGANIZERpdf.exe 99 PID 3640 wrote to memory of 832 3640 2023 TRISHA ORGANIZERpdf.exe 99 PID 3640 wrote to memory of 832 3640 2023 TRISHA ORGANIZERpdf.exe 99 PID 3640 wrote to memory of 832 3640 2023 TRISHA ORGANIZERpdf.exe 99 PID 3640 wrote to memory of 832 3640 2023 TRISHA ORGANIZERpdf.exe 99 PID 3640 wrote to memory of 3256 3640 2023 TRISHA ORGANIZERpdf.exe 100 PID 3640 wrote to memory of 3256 3640 2023 TRISHA ORGANIZERpdf.exe 100 PID 3640 wrote to memory of 3256 3640 2023 TRISHA ORGANIZERpdf.exe 100 PID 3256 wrote to memory of 892 3256 cmd.exe 102 PID 3256 wrote to memory of 892 3256 cmd.exe 102 PID 3256 wrote to memory of 892 3256 cmd.exe 102
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER.zip1⤵PID:2252
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4712
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER\" -spe -an -ai#7zMap28603:112:7zEvent11431⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2872
-
C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER\2023 TRISHA ORGANIZERpdf.exe"C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER\2023 TRISHA ORGANIZERpdf.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER\2023 TRISHA ORGANIZERpdf.exe"C:\Users\Admin\AppData\Local\Temp\TRISHA+ORGANIZER\2023 TRISHA ORGANIZERpdf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:892
-
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestprivmerkt.comIN AResponseprivmerkt.comIN A172.111.244.3
-
Remote address:8.8.8.8:53Requestprivmerkt.comIN A
-
Remote address:8.8.8.8:53Requestprivmerkt.comIN A
-
Remote address:8.8.8.8:53Requestprivmerkt.comIN A
-
Remote address:8.8.8.8:53Requestprivmerkt.comIN A
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.244.111.172.in-addr.arpaIN PTRResponse3.244.111.172.in-addr.arpaIN PTRns645dnspurecom
-
Remote address:8.8.8.8:53Request3.244.111.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request3.244.111.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request3.244.111.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request3.244.111.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request233.143.123.92.in-addr.arpaIN PTRResponse233.143.123.92.in-addr.arpaIN PTRa92-123-143-233deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
396 B 132 B 5 3
-
716 B 92 B 5 2
-
396 B 132 B 5 3
-
1.0kB 172 B 8 4
-
304 B 92 B 3 2
-
460 B 88 B 6 2
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
2.0kB 52 B 12 1
-
322 B 7
-
304 B 92 B 3 2
-
510 B 92 B 4 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
1.6kB 52 B 10 1
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
1.6kB 52 B 10 1
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
356 B 92 B 4 2
-
304 B 92 B 3 2
-
1.6kB 52 B 10 1
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
716 B 92 B 5 2
-
304 B 92 B 3 2
-
716 B 92 B 5 2
-
396 B 132 B 5 3
-
1.6kB 52 B 10 1
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
396 B 132 B 5 3
-
304 B 92 B 3 2
-
396 B 132 B 5 3
-
1.1kB 52 B 7 1
-
146 B 147 B 2 1
DNS Request
104.219.191.52.in-addr.arpa
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
219 B 147 B 3 1
DNS Request
133.211.185.52.in-addr.arpa
DNS Request
133.211.185.52.in-addr.arpa
DNS Request
133.211.185.52.in-addr.arpa
-
295 B 75 B 5 1
DNS Request
privmerkt.com
DNS Request
privmerkt.com
DNS Request
privmerkt.com
DNS Request
privmerkt.com
DNS Request
privmerkt.com
DNS Response
172.111.244.3
-
140 B 156 B 2 1
DNS Request
50.23.12.20.in-addr.arpa
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
360 B 103 B 5 1
DNS Request
3.244.111.172.in-addr.arpa
DNS Request
3.244.111.172.in-addr.arpa
DNS Request
3.244.111.172.in-addr.arpa
DNS Request
3.244.111.172.in-addr.arpa
DNS Request
3.244.111.172.in-addr.arpa
-
216 B 137 B 3 1
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
233.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD54864a55cff27f686023456a22371e790
SHA16ed30c0371fe167d38411bfa6d720fcdcacc4f4c
SHA25608c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
SHA5124bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
-
Filesize
6.3MB
MD56c1d68c7960415c632429da5aa258062
SHA1c4de42e1b1de043c1a4224eacbd429d4fbef5764
SHA2565b9c3d8a7377aa103f13a12bbd81f9d833de987e1a39da3d1b30ef4a30437cfa
SHA5125d3b250636bc6ee96f4b3329a29d0d4b7cbebbcf7f7ed325725b2cbd9830d51f843b472b55f5c34845f90c69fe7f80e803e44b0142df443ab5c53b2af4805e86