Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 13:14
General
-
Target
18V4860 TS Light Diesel.exe
-
Size
881KB
-
MD5
88ad99bd08e94b721914d8368c3a259b
-
SHA1
8d6518f2ea260d9835c3ed7190808fc263ed010a
-
SHA256
4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16
-
SHA512
9dece9766da615b5b5b72c1d8167f7c3f54a73d3cc95a024e6b541e7c6c278606d9e8fdba37102cb251ed227a16780630033a6e8dcee9acc075fd417bb8c3e54
-
SSDEEP
24576:qQ/EymH4hro8jGqj56ulEJ8v+FgFOfY823:3yHGrhGqdFlECv+CX
Malware Config
Extracted
remcos
RemoteHost
www.drechftankholding.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
dfgh
-
mouse_option
false
-
mutex
Rmc-8J6PG9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18V4860 TS Light Diesel.exe"C:\Users\Admin\AppData\Local\Temp\18V4860 TS Light Diesel.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\18V4860 TS Light Diesel.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PNLFWPpnxTlxjH.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PNLFWPpnxTlxjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ulpkdob"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\wgucegmohc"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hiivxzxhukbtp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD545cac4aa8510da867c8e1dbd53de53d7
SHA15cb72562c70978a2cc877aec7c92ba65336d9ec9
SHA256f87a114c06410d9f26368ea0e6496b59e2e4b146ecfb6e3c67d1cb1679ab1fc0
SHA512099aca9a72ce748c13eff61ce5df2a3cf29679bae538d31ac78ac1f1450a9a9da998f13806f8237d73b20fc9231bf7de2d08f2d910cfc2e69208c87b046fea46
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5402775a62a0cf0e66b0db58b8a197b2c
SHA16ea7e0674a141596ff2fd0790b22d19a18c2eb07
SHA25694e1aa34b041d0a9edb17aae3b4b85792aba5518d1495d63d850447eae51680f
SHA512991f7c2c6ae933fa481685cae7e5dcaceae8a034ce2a6032fb0143de5ad6424d66020daf2503730fd29ce4ec78d4b4369a97092cf15f6da8aac08b2524630126
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d3278e1555d285e7355c9a0adb16131f
SHA190cba8e6f0e1e69fa461d6789689a3c5c8451a95
SHA25618ff7cd05aa888496a2d8be670139b1a7bbbe95fcc77f65a4047f42d6f4c55f8
SHA512dae72c692a298467ff85ab2ca1bec04e6f9cde93ba0fd217349eb890b6e310c1008654a4801eba70f247f402afb192a6cfeeb568888159fde48bb406d6ee604d
-
Filesize
4KB
MD5a7e181f6aa185be0ab0ca68b30406fe6
SHA158c86162658dc609615b8b6400f85c92506dfdc8
SHA256c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2
SHA51249969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
904KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
768KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB