Analysis
-
max time kernel
73s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/09/2024, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
Trisha 2023 OrganizerPDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trisha 2023 OrganizerPDF.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
msimg32.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
msimg32.dll
Resource
win10v2004-20240802-en
Errors
General
-
Target
Trisha 2023 OrganizerPDF.exe
-
Size
6.1MB
-
MD5
4864a55cff27f686023456a22371e790
-
SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
-
SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
-
SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
-
SSDEEP
98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz
Malware Config
Extracted
remcos
RemoteHost
privmerkt.com:3903
nwemarkets.com:3727
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NOOI58
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Trisha 2023 OrganizerPDF.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 build.exe 4396 build.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CertainThings = "C:\\Users\\Admin\\Pictures\\GamingUnu\\GamingHeadset.exe" build.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trisha 2023 OrganizerPDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trisha 2023 OrganizerPDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trisha 2023 OrganizerPDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trisha 2023 OrganizerPDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trisha 2023 OrganizerPDF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2272 Trisha 2023 OrganizerPDF.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 996 AcroRd32.exe 996 AcroRd32.exe 996 AcroRd32.exe 996 AcroRd32.exe 4572 LogonUI.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2272 3012 Trisha 2023 OrganizerPDF.exe 89 PID 3012 wrote to memory of 2272 3012 Trisha 2023 OrganizerPDF.exe 89 PID 3012 wrote to memory of 2272 3012 Trisha 2023 OrganizerPDF.exe 89 PID 3012 wrote to memory of 2272 3012 Trisha 2023 OrganizerPDF.exe 89 PID 3012 wrote to memory of 2272 3012 Trisha 2023 OrganizerPDF.exe 89 PID 3012 wrote to memory of 2472 3012 Trisha 2023 OrganizerPDF.exe 90 PID 3012 wrote to memory of 2472 3012 Trisha 2023 OrganizerPDF.exe 90 PID 3012 wrote to memory of 2472 3012 Trisha 2023 OrganizerPDF.exe 90 PID 2472 wrote to memory of 1572 2472 cmd.exe 92 PID 2472 wrote to memory of 1572 2472 cmd.exe 92 PID 2472 wrote to memory of 1572 2472 cmd.exe 92 PID 2272 wrote to memory of 2624 2272 Trisha 2023 OrganizerPDF.exe 95 PID 2272 wrote to memory of 2624 2272 Trisha 2023 OrganizerPDF.exe 95 PID 2272 wrote to memory of 2624 2272 Trisha 2023 OrganizerPDF.exe 95 PID 2624 wrote to memory of 4396 2624 build.exe 97 PID 2624 wrote to memory of 4396 2624 build.exe 97 PID 2624 wrote to memory of 4396 2624 build.exe 97 PID 2624 wrote to memory of 4396 2624 build.exe 97 PID 2624 wrote to memory of 4396 2624 build.exe 97 PID 3264 wrote to memory of 4692 3264 Trisha 2023 OrganizerPDF.exe 102 PID 3264 wrote to memory of 4692 3264 Trisha 2023 OrganizerPDF.exe 102 PID 3264 wrote to memory of 4692 3264 Trisha 2023 OrganizerPDF.exe 102 PID 3264 wrote to memory of 4692 3264 Trisha 2023 OrganizerPDF.exe 102 PID 3264 wrote to memory of 4692 3264 Trisha 2023 OrganizerPDF.exe 102 PID 3264 wrote to memory of 2664 3264 Trisha 2023 OrganizerPDF.exe 103 PID 3264 wrote to memory of 2664 3264 Trisha 2023 OrganizerPDF.exe 103 PID 3264 wrote to memory of 2664 3264 Trisha 2023 OrganizerPDF.exe 103 PID 2664 wrote to memory of 3052 2664 cmd.exe 105 PID 2664 wrote to memory of 3052 2664 cmd.exe 105 PID 2664 wrote to memory of 3052 2664 cmd.exe 105 PID 2412 wrote to memory of 996 2412 OpenWith.exe 106 PID 2412 wrote to memory of 996 2412 OpenWith.exe 106 PID 2412 wrote to memory of 996 2412 OpenWith.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4396
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1572
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4692
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"C:\Users\Admin\AppData\Local\Temp\Trisha 2023 OrganizerPDF.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3956
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W2 PDF"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:996
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5cbacc158e69f7fefb0f469ddf785698b
SHA1a5edae4b2d1531338f9bb43d4795180555a67327
SHA2565cf31c39a21d82668216c8530facec42939660961ae34a5d0afd4fbd9a2a7b6d
SHA512cdf2a76d0df19a1b1be5f4b3f72b640ca9445a8f506c6d61646aa04c2afe1ed2ebf2ebe61ac433bfc0bc87ee39af2d896b46a0fc3a5634572f0fa87beecb5016
-
Filesize
406.5MB
MD59901ddcd051035087ee1818ac5b3b88c
SHA1d3d99f1821663907432a094410043251afaa6b08
SHA25636d935384caca6942ea3eda9996b1ca46420a47b3cbc70893cf530653072b97f
SHA512e0491c94caad36c9c41e90d8cd7f2119b763bfe2e8f0651cde3ca7931682ed6ff12a383028e4e65e51bbabfc5c3298451491e8aa25e903d0ae02e5182c6eaab1