Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
CompanyDetails.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CompanyDetails.exe
Resource
win10v2004-20240802-en
General
-
Target
CompanyDetails.exe
-
Size
988KB
-
MD5
dc6296c1f5ec3b6e4dcbc33d0fcf3616
-
SHA1
64c81ccb99415efe3aaffcfeea93d15fc08b735b
-
SHA256
d776f6152105609e96a665bf681b71c945da8341b326410ee20e6a31b234d4c9
-
SHA512
e28695c316d1b5d2d35726ed3f68ebccc1d07083d3b533b90ac9a1cf697ebbee8794278625107f305e22b55c68a1a820a73103f208f6f6a0f40ecf24f4b5db98
-
SSDEEP
24576:72R1pA1DLK3qSmuyhBaNV8DDCANtsMFSzraULSgk:OPA1DLKagy4V8DftsgSzraR
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59321
nnamoo.duckdns.org:59321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-41EVS0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3120 powershell.exe 4928 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CompanyDetails.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 3736 3020 CompanyDetails.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CompanyDetails.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CompanyDetails.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3020 CompanyDetails.exe 3120 powershell.exe 4928 powershell.exe 3020 CompanyDetails.exe 3020 CompanyDetails.exe 3020 CompanyDetails.exe 3120 powershell.exe 4928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3020 CompanyDetails.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3120 3020 CompanyDetails.exe 89 PID 3020 wrote to memory of 3120 3020 CompanyDetails.exe 89 PID 3020 wrote to memory of 3120 3020 CompanyDetails.exe 89 PID 3020 wrote to memory of 4928 3020 CompanyDetails.exe 91 PID 3020 wrote to memory of 4928 3020 CompanyDetails.exe 91 PID 3020 wrote to memory of 4928 3020 CompanyDetails.exe 91 PID 3020 wrote to memory of 1840 3020 CompanyDetails.exe 93 PID 3020 wrote to memory of 1840 3020 CompanyDetails.exe 93 PID 3020 wrote to memory of 1840 3020 CompanyDetails.exe 93 PID 3020 wrote to memory of 5024 3020 CompanyDetails.exe 95 PID 3020 wrote to memory of 5024 3020 CompanyDetails.exe 95 PID 3020 wrote to memory of 5024 3020 CompanyDetails.exe 95 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96 PID 3020 wrote to memory of 3736 3020 CompanyDetails.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YHWyXapflg.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YHWyXapflg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF24F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"2⤵PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"C:\Users\Admin\AppData\Local\Temp\CompanyDetails.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3736
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request146.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnnamoo.duckdns.orgIN AResponsennamoo.duckdns.orgIN A103.186.117.126
-
Remote address:8.8.8.8:53Request126.117.186.103.in-addr.arpaIN PTRResponse126.117.186.103.in-addr.arpaIN PTRwixcom
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
3.2kB 1.5kB 13 16
-
623 B 1.3kB 12 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200 -
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
146.177.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
nnamoo.duckdns.org
DNS Response
103.186.117.126
-
74 B 95 B 1 1
DNS Request
126.117.186.103.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
43.56.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5fa3a8042102018bc1cab27b24d7444f1
SHA1b84b676e36402c24b23420d29a681bf3db77be33
SHA256970efd3c37c4f7be37783c2980f5ee5676e76c88c00eeb35cdb055256db94551
SHA5123da4aac2bcc744b122947ef37b64b3e0e6cd25a0ad1ce10434a26718e781665ea0a7fff3ee964284fc1f776769a3a9f439f4035d0fd03ac47489b3619674d646
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53a09d69a5c674e8f5632b6ea19364693
SHA1cacd767900b654475d620527130847f236ff31ae
SHA25635a0336dae5942ae2343701ddd4b2cb25b8961527a8056b644f1bec4ffdd371c
SHA512d2a8bbfca5f1192add8c7c5d4dd18416727e4426359a65cf4d133f6f5d58d65cccaaa97bef8ec857ce8ce803d3c6b054439893cbebfe376c5c7799deb132d40c