Analysis
-
max time kernel
178s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
ad94d38043653bb4972cc2bc198aa10e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad94d38043653bb4972cc2bc198aa10e.exe
Resource
win10v2004-20240802-en
General
-
Target
ad94d38043653bb4972cc2bc198aa10e.exe
-
Size
137KB
-
MD5
ad94d38043653bb4972cc2bc198aa10e
-
SHA1
f0ee00b32cf03a1375272025bb46e7d72f43f5fe
-
SHA256
62cb3eef7360045ad839007ee3a28e7dfaba23607b875a0ac6543020b06f4a8b
-
SHA512
a1c06fa0ee2467d9dabfc04d4e4488f891fa1228b344c1a08756121b56f895199f02cf8edcb461737c1e178b9bebdb504e5cd6dfa833d4f89054ce9a03b0498a
-
SSDEEP
1536:I/UaoG+jAmd/FMz4+hxI+XmVegnTFmk7zp5K7/axJ2:I/tajAy/60VogZmkx5Kj5
Malware Config
Extracted
remcos
NUEVOS2
comino83.con-ip.com:1835
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
BBNNSNNDHJDJS-LPAR7G
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3652 created 3496 3652 ad94d38043653bb4972cc2bc198aa10e.exe 56 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pago = "C:\\Users\\Admin\\AppData\\Roaming\\pago.exe" ad94d38043653bb4972cc2bc198aa10e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3652 set thread context of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad94d38043653bb4972cc2bc198aa10e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3652 ad94d38043653bb4972cc2bc198aa10e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3652 ad94d38043653bb4972cc2bc198aa10e.exe Token: SeDebugPrivilege 3652 ad94d38043653bb4972cc2bc198aa10e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2200 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89 PID 3652 wrote to memory of 2200 3652 ad94d38043653bb4972cc2bc198aa10e.exe 89
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\ad94d38043653bb4972cc2bc198aa10e.exe"C:\Users\Admin\AppData\Local\Temp\ad94d38043653bb4972cc2bc198aa10e.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200
-
Network
-
Remote address:8.8.8.8:53Requestfiles.catbox.moeIN AResponsefiles.catbox.moeIN A108.181.20.37
-
Remote address:108.181.20.37:443RequestGET /dyyl2g.vdf HTTP/1.1
Host: files.catbox.moe
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Sep 2024 22:15:03 GMT
Content-Type: application/octet-stream
Content-Length: 1145864
Last-Modified: Thu, 12 Sep 2024 13:32:28 GMT
Connection: keep-alive
ETag: "66e2ed6c-117c08"
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request37.20.181.108.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcomino83.con-ip.comIN AResponsecomino83.con-ip.comIN A179.14.10.124
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
108.181.20.37:443https://files.catbox.moe/dyyl2g.vdftls, httpad94d38043653bb4972cc2bc198aa10e.exe20.9kB 1.2MB 443 857
HTTP Request
GET https://files.catbox.moe/dyyl2g.vdfHTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
104 B 2
-
62 B 78 B 1 1
DNS Request
files.catbox.moe
DNS Response
108.181.20.37
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
37.20.181.108.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
comino83.con-ip.com
DNS Response
179.14.10.124
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD55ec841db787eb9bedd7dcf8bab7517b6
SHA1fea3b593e6f022a3c4f4028df2d6c7badaaa2689
SHA25678b5291463c5462ac921e5d1753bac79a5fa6d76deb34381f00a13d9d3937729
SHA51205fa7e4e707f85e6a069925870fb0ad5989fd8da934ab418cd7f50cd94d6b11ac3a973c8aa1c11aa4b2db6ae70357eae385d64e659820628760d072bd064a53d