Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.MSIL.Hanoone.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.MSIL.Hanoone.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.MSIL.Hanoone.exe
-
Size
2.1MB
-
MD5
f3170f0a9fbd0466bac6cf8757d89b70
-
SHA1
561c35ef1b516e0c28d775b9a50486104d3078a3
-
SHA256
92c459b677130c62f0a34f1b77f26c098e04212bb56d7906f8aad278d37394cb
-
SHA512
fcfb2910781a8d2409da48cac8396a40f2aaf54532fa58ad6882cbb7316bfbed3dd4eb0c76f2eca29c00f8ccbd5ffb5c79d1660b539103f76e9fb5193fd27f3a
-
SSDEEP
24576:uD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPj8/j73AneLKJJ+4M:up7E+QrFUBgq23M
Malware Config
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 2 IoCs
pid Process 2648 sbietrcl.exe 3000 sbietrcl.exe -
Loads dropped DLL 1 IoCs
pid Process 2280 Trojan.MSIL.Hanoone.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" Trojan.MSIL.Hanoone.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2648 set thread context of 3000 2648 sbietrcl.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbietrcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbietrcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.MSIL.Hanoone.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2280 Trojan.MSIL.Hanoone.exe 2280 Trojan.MSIL.Hanoone.exe 2280 Trojan.MSIL.Hanoone.exe 2280 Trojan.MSIL.Hanoone.exe 2280 Trojan.MSIL.Hanoone.exe 2280 Trojan.MSIL.Hanoone.exe 2648 sbietrcl.exe 2648 sbietrcl.exe 2648 sbietrcl.exe 2648 sbietrcl.exe 2648 sbietrcl.exe 2648 sbietrcl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2280 Trojan.MSIL.Hanoone.exe Token: SeDebugPrivilege 2648 sbietrcl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3000 sbietrcl.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2648 2280 Trojan.MSIL.Hanoone.exe 30 PID 2280 wrote to memory of 2648 2280 Trojan.MSIL.Hanoone.exe 30 PID 2280 wrote to memory of 2648 2280 Trojan.MSIL.Hanoone.exe 30 PID 2280 wrote to memory of 2648 2280 Trojan.MSIL.Hanoone.exe 30 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31 PID 2648 wrote to memory of 3000 2648 sbietrcl.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Hanoone.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Hanoone.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2d44345af17f167882f1dc8ff2a0d7f
SHA1e53d13b3d2bddaa4854ad9003deaddb5952af17c
SHA2566111adf726d5139f4c1dcb5640a73a1fe0ea02caa3d4a1c1bcd0691409c44873
SHA512b96829c3ac9d982ebe62c6d2019340c015a9d4ce17aedf4a44ee6f5796e273919fcde9734897aba0763c92c5213b1e62e9085ceee08979c53d766d72928b86bc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
2.1MB
MD5e7877ecdad2b3ae78fa3e8b4f261dde9
SHA16f1dcb05578deb46c3fcb1cd875edc34ae438bbe
SHA256461df8809f8e7c86048edcf2a61f1c0ce6906610a83d569738cabbfd7b242972
SHA512b2182fa224db08c95d67d2143b96cee5946e2f53ff024c05cd34a5f9e00d65d2194bec5821ed7b468d977e1eb542ab9ff1f794e56d8d9a9eb3d60051a5bf6946