Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 10:01
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240802-en
General
-
Target
New Order.exe
-
Size
899KB
-
MD5
8d1627dd83de9ad6ea38b9b3d7e232fc
-
SHA1
6108d6e669d30d0586335dfd2f7126c138cf3ab1
-
SHA256
699ab96ab77fb83fb6468bfc51531a91899fe94048e526ae232fb6fe9ac52290
-
SHA512
f9a30622d1b643e954375ef6a81f9273cfa1bd1dd93a18b97aaf24fcd1f489950fe54d7516129efb7418445beee029663306e65f78d3adda30eb4fdbb3f43ac9
-
SSDEEP
24576:ISaWiW60OWtDBDtOBXT7GN+QXvADJz2sGamXP+Pr:ISf605tm7GQQNL
Malware Config
Extracted
remcos
RemoteHost
192.3.64.152:2559
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TS121V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 2568 1448 New Order.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Order.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1448 New Order.exe 1448 New Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1448 New Order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2688 1448 New Order.exe 30 PID 1448 wrote to memory of 2688 1448 New Order.exe 30 PID 1448 wrote to memory of 2688 1448 New Order.exe 30 PID 1448 wrote to memory of 2688 1448 New Order.exe 30 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31 PID 1448 wrote to memory of 2568 1448 New Order.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
Network
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 954
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
3.2kB 1.5kB 12 16
-
623 B 2.5kB 12 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200