Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
orderspecification.pif.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
orderspecification.pif.exe
Resource
win10v2004-20240802-en
General
-
Target
orderspecification.pif.exe
-
Size
862KB
-
MD5
32fdfac1be3eeb287976d70b621ba718
-
SHA1
2dd9ced6021c1f1e8f772ead665e70ee4250c238
-
SHA256
c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
-
SHA512
a77441898821e5f84c860c05ea62357851330693d1566ff60ea47676efef0846e99192d1ba51d8a5569b2b93acf697eccb0ecf047ed17ab58a9453fd5af32cba
-
SSDEEP
24576:PYZIth8N9PnPo2SxApB3x8uYU66U25BL:Pvth8N5Po2rpH8uYUOA
Malware Config
Extracted
remcos
RemoteHost
www.drechftankholding.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
dfgh
-
mouse_option
false
-
mutex
Rmc-8J6PG9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1936-56-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2128-57-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1620-61-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1936-56-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2128-57-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2744 powershell.exe 380 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2000 set thread context of 3008 2000 orderspecification.pif.exe 37 PID 3008 set thread context of 2128 3008 vbc.exe 40 PID 3008 set thread context of 1936 3008 vbc.exe 41 PID 3008 set thread context of 1620 3008 vbc.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orderspecification.pif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2000 orderspecification.pif.exe 2000 orderspecification.pif.exe 2744 powershell.exe 380 powershell.exe 2128 vbc.exe 2128 vbc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3008 vbc.exe 3008 vbc.exe 3008 vbc.exe 3008 vbc.exe 3008 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2000 orderspecification.pif.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 1620 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3008 vbc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2000 wrote to memory of 380 2000 orderspecification.pif.exe 31 PID 2000 wrote to memory of 380 2000 orderspecification.pif.exe 31 PID 2000 wrote to memory of 380 2000 orderspecification.pif.exe 31 PID 2000 wrote to memory of 380 2000 orderspecification.pif.exe 31 PID 2000 wrote to memory of 2744 2000 orderspecification.pif.exe 33 PID 2000 wrote to memory of 2744 2000 orderspecification.pif.exe 33 PID 2000 wrote to memory of 2744 2000 orderspecification.pif.exe 33 PID 2000 wrote to memory of 2744 2000 orderspecification.pif.exe 33 PID 2000 wrote to memory of 2796 2000 orderspecification.pif.exe 34 PID 2000 wrote to memory of 2796 2000 orderspecification.pif.exe 34 PID 2000 wrote to memory of 2796 2000 orderspecification.pif.exe 34 PID 2000 wrote to memory of 2796 2000 orderspecification.pif.exe 34 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 2000 wrote to memory of 3008 2000 orderspecification.pif.exe 37 PID 3008 wrote to memory of 2784 3008 vbc.exe 38 PID 3008 wrote to memory of 2784 3008 vbc.exe 38 PID 3008 wrote to memory of 2784 3008 vbc.exe 38 PID 3008 wrote to memory of 2784 3008 vbc.exe 38 PID 3008 wrote to memory of 1976 3008 vbc.exe 39 PID 3008 wrote to memory of 1976 3008 vbc.exe 39 PID 3008 wrote to memory of 1976 3008 vbc.exe 39 PID 3008 wrote to memory of 1976 3008 vbc.exe 39 PID 3008 wrote to memory of 2128 3008 vbc.exe 40 PID 3008 wrote to memory of 2128 3008 vbc.exe 40 PID 3008 wrote to memory of 2128 3008 vbc.exe 40 PID 3008 wrote to memory of 2128 3008 vbc.exe 40 PID 3008 wrote to memory of 2128 3008 vbc.exe 40 PID 3008 wrote to memory of 1936 3008 vbc.exe 41 PID 3008 wrote to memory of 1936 3008 vbc.exe 41 PID 3008 wrote to memory of 1936 3008 vbc.exe 41 PID 3008 wrote to memory of 1936 3008 vbc.exe 41 PID 3008 wrote to memory of 1936 3008 vbc.exe 41 PID 3008 wrote to memory of 1620 3008 vbc.exe 42 PID 3008 wrote to memory of 1620 3008 vbc.exe 42 PID 3008 wrote to memory of 1620 3008 vbc.exe 42 PID 3008 wrote to memory of 1620 3008 vbc.exe 42 PID 3008 wrote to memory of 1620 3008 vbc.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe"C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sOjQJdX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sOjQJdX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"3⤵PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"3⤵PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\xmzcw"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\agfuprwm"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.drechftankholding.comIN AResponsewww.drechftankholding.comIN A103.198.26.22
-
Remote address:8.8.8.8:53Requestwww.drechftankholding.comIN A
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN A
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
2.4kB 631 B 10 12
-
29.3kB 510.6kB 203 373
-
623 B 2.5kB 12 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51e42254e37de4e142f47c814e787c68f
SHA13596c5dd0a324f79add9d360a2f2cd4191fd1425
SHA256bf412cccc097766267493d39d997fad17b082a5422121aee04471ed1134f46fc
SHA512ad8a793c1af0f02d11d9697751f8d91d359bf919fe05ecaa2f17284536a7e469507da8ea3b076b151a386838c823246014603082acef35fa8e9cb947f52512ea
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD526ce64fd5d54176ee668fa7a2bae39a4
SHA17726bf2ac785c922c3f636cb10fc28b0d75fd6eb
SHA2560888875867d7738fc5386036f39f28d1611f4257d7607a442d8f3c067416c1a6
SHA512e3be4774d63820732e84e7eaa7995fbdb296bca9efc28f05017f942d0874ce9e3c83c8be53218bbf4232384e56b37295e3e580bdc71b9253eb0af4e0da5f9ef1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXYBMCXDJENBPWH2CUZN.temp
Filesize7KB
MD5ef27a44f4684e3cb48e7b4adea9068de
SHA19fd434a1d3b99d41ca9b513564420be470a30324
SHA25619c7a4ab466d8fda88a6e416e33e122a2939a5879478915cf51088914d4acdec
SHA5121f0a07f39af941aec3d0a68a85c164a73679730c2c2e658232160adeca43866525943ee08137e9147d0c983055d32a1f8f2dcdcca24a61f5c6b598fe81f635c2