Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 11:52

General

  • Target

    orderspecification.pif.exe

  • Size

    862KB

  • MD5

    32fdfac1be3eeb287976d70b621ba718

  • SHA1

    2dd9ced6021c1f1e8f772ead665e70ee4250c238

  • SHA256

    c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13

  • SHA512

    a77441898821e5f84c860c05ea62357851330693d1566ff60ea47676efef0846e99192d1ba51d8a5569b2b93acf697eccb0ecf047ed17ab58a9453fd5af32cba

  • SSDEEP

    24576:PYZIth8N9PnPo2SxApB3x8uYU66U25BL:Pvth8N5Po2rpH8uYUOA

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.drechftankholding.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    dfgh

  • mouse_option

    false

  • mutex

    Rmc-8J6PG9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe
    "C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\orderspecification.pif.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sOjQJdX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sOjQJdX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"
        3⤵
          PID:2784
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"
          3⤵
            PID:1976
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2128
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\xmzcw"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:1936
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\agfuprwm"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1620

      Network

      • flag-us
        DNS
        www.drechftankholding.com
        vbc.exe
        Remote address:
        8.8.8.8:53
        Request
        www.drechftankholding.com
        IN A
        Response
        www.drechftankholding.com
        IN A
        103.198.26.22
      • flag-us
        DNS
        www.drechftankholding.com
        vbc.exe
        Remote address:
        8.8.8.8:53
        Request
        www.drechftankholding.com
        IN A
      • flag-us
        DNS
        geoplugin.net
        vbc.exe
        Remote address:
        8.8.8.8:53
        Request
        geoplugin.net
        IN A
        Response
        geoplugin.net
        IN A
        178.237.33.50
      • flag-us
        DNS
        geoplugin.net
        vbc.exe
        Remote address:
        8.8.8.8:53
        Request
        geoplugin.net
        IN A
      • flag-nl
        GET
        http://geoplugin.net/json.gp
        vbc.exe
        Remote address:
        178.237.33.50:80
        Request
        GET /json.gp HTTP/1.1
        Host: geoplugin.net
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        date: Tue, 17 Sep 2024 11:52:37 GMT
        server: Apache
        content-length: 955
        content-type: application/json; charset=utf-8
        cache-control: public, max-age=300
        access-control-allow-origin: *
      • 103.198.26.22:2404
        www.drechftankholding.com
        vbc.exe
        2.4kB
        631 B
        10
        12
      • 103.198.26.22:2404
        www.drechftankholding.com
        vbc.exe
        29.3kB
        510.6kB
        203
        373
      • 178.237.33.50:80
        http://geoplugin.net/json.gp
        http
        vbc.exe
        623 B
        2.5kB
        12
        4

        HTTP Request

        GET http://geoplugin.net/json.gp

        HTTP Response

        200
      • 8.8.8.8:53
        www.drechftankholding.com
        dns
        vbc.exe
        142 B
        87 B
        2
        1

        DNS Request

        www.drechftankholding.com

        DNS Request

        www.drechftankholding.com

        DNS Response

        103.198.26.22

      • 8.8.8.8:53
        geoplugin.net
        dns
        vbc.exe
        118 B
        75 B
        2
        1

        DNS Request

        geoplugin.net

        DNS Request

        geoplugin.net

        DNS Response

        178.237.33.50

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\dfgh\logs.dat

        Filesize

        144B

        MD5

        1e42254e37de4e142f47c814e787c68f

        SHA1

        3596c5dd0a324f79add9d360a2f2cd4191fd1425

        SHA256

        bf412cccc097766267493d39d997fad17b082a5422121aee04471ed1134f46fc

        SHA512

        ad8a793c1af0f02d11d9697751f8d91d359bf919fe05ecaa2f17284536a7e469507da8ea3b076b151a386838c823246014603082acef35fa8e9cb947f52512ea

      • C:\Users\Admin\AppData\Local\Temp\nkurvgarqlsqhdewjjfmbfdykxvlhvcv

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp

        Filesize

        1KB

        MD5

        26ce64fd5d54176ee668fa7a2bae39a4

        SHA1

        7726bf2ac785c922c3f636cb10fc28b0d75fd6eb

        SHA256

        0888875867d7738fc5386036f39f28d1611f4257d7607a442d8f3c067416c1a6

        SHA512

        e3be4774d63820732e84e7eaa7995fbdb296bca9efc28f05017f942d0874ce9e3c83c8be53218bbf4232384e56b37295e3e580bdc71b9253eb0af4e0da5f9ef1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXYBMCXDJENBPWH2CUZN.temp

        Filesize

        7KB

        MD5

        ef27a44f4684e3cb48e7b4adea9068de

        SHA1

        9fd434a1d3b99d41ca9b513564420be470a30324

        SHA256

        19c7a4ab466d8fda88a6e416e33e122a2939a5879478915cf51088914d4acdec

        SHA512

        1f0a07f39af941aec3d0a68a85c164a73679730c2c2e658232160adeca43866525943ee08137e9147d0c983055d32a1f8f2dcdcca24a61f5c6b598fe81f635c2

      • memory/1620-59-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1620-60-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1620-61-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1936-53-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/1936-55-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/1936-56-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/2000-42-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2000-3-0x0000000000220000-0x000000000022E000-memory.dmp

        Filesize

        56KB

      • memory/2000-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

      • memory/2000-2-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2000-6-0x0000000005520000-0x00000000055E0000-memory.dmp

        Filesize

        768KB

      • memory/2000-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

      • memory/2000-1-0x0000000000C00000-0x0000000000CDE000-memory.dmp

        Filesize

        888KB

      • memory/2000-5-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2128-54-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2128-57-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2128-51-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/3008-36-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

      • memory/3008-43-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-45-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-44-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-47-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-46-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-49-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-19-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-21-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-23-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-25-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-27-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-29-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-31-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-34-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-37-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-41-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-68-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

      • memory/3008-72-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

      • memory/3008-71-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

      • memory/3008-73-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-77-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-78-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-38-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-85-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-93-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-94-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/3008-101-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.