89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce

Analysis

max time kernel
125s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe
Size

483KB
MD5

c80e7a64589dc19b6cbe79d371df5247
SHA1

41e8427fe153726b7c74f93a7e5aa0f4268ef25d
SHA256

89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce
SHA512

5575ce6ecce06dff1da09ce8dc7b39e4e945582992e441bad9fbab66bbd0114065af0c7a930e17ef0ad7125c0b6112aaaa4d10c763153bff7078dd3a2fd20cc6
SSDEEP

6144:ZTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4cr3T4:ZTlrYw1RUh3NFn+N5WfIQIjbs/ZmcT4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1580	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2080	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1580	2080	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe	31
PID 2080 wrote to memory of 1580	2080	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe	31
PID 2080 wrote to memory of 1580	2080	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe	31
PID 2080 wrote to memory of 1580	2080	89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe	31

C:\Users\Admin\AppData\Local\Temp\89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe
"C:\Users\Admin\AppData\Local\Temp\89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\crthdaixxvtxowitybkrezsrglp.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
1a60d9a085e06b9e25a4557b4d6175cd

SHA1
6baf60b8e4ba7c8ce09ecdb4e39b581b080f5530

SHA256
a5835f34483f9f651130b7f6943b39746ee7dcf0601d03f11d9a8e32cb0172ec

SHA512
01e93861c96a91d23b1b3c8c39fa708a33817e0dcc91777b8691cfcc2973d9571a70ed1b9bc4608456233181904255369dd63f007ede56b475e1d252e4f8d9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\crthdaixxvtxowitybkrezsrglp.vbs

Filesize
728B

MD5
1e7384c699d4922714e71c2f4b175626

SHA1
3dedf3a1f2f8754682038297dd3e61ec6757d1a0

SHA256
5f1c0f796c8528b8ba90919763efaed8cb7e19692ea5def61d450582ceb32250

SHA512
1bd16e784694309926108f2c875e1467f847f890b556a4ad7cb07c7f1871b3c02abb2b2f60e263ca6b4e60c46ff31d259937a47df48e4a7f7d679cba68edaf89

Download Submit