Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v2004-20240802-en
General
-
Target
QUOTATION.exe
-
Size
900KB
-
MD5
a1e1f9aef9a168423b2f0cd1dbe2ba9a
-
SHA1
921abb3a628f79b295c92d7298da8dfedc1b9376
-
SHA256
66c41f2310824c8b5b2365a2283d28c5b47d2a829afa45a1b00b710259d9622d
-
SHA512
6281720fd5a85723cb6cc85845fa4895cf0190cad58a4924c2a36a0d7d7b6f41b4a2f1c7bf005e969c5e973294c287a3c5c1c2c91029fd40b0d6a697e2bcd673
-
SSDEEP
24576:kpdp7oz4EdD2Vw6byE1MVoLVKbG65MyekkQ40e8nk9IN:kP7iqLy5VoLVCdJe5QX
Malware Config
Extracted
remcos
RemoteHost
www.projectusf.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
gfh
-
mouse_option
false
-
mutex
Rmc-J91LMC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2772 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 800 set thread context of 2908 800 QUOTATION.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUOTATION.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUOTATION.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2908 QUOTATION.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 800 wrote to memory of 2772 800 QUOTATION.exe 28 PID 800 wrote to memory of 2772 800 QUOTATION.exe 28 PID 800 wrote to memory of 2772 800 QUOTATION.exe 28 PID 800 wrote to memory of 2772 800 QUOTATION.exe 28 PID 800 wrote to memory of 2788 800 QUOTATION.exe 30 PID 800 wrote to memory of 2788 800 QUOTATION.exe 30 PID 800 wrote to memory of 2788 800 QUOTATION.exe 30 PID 800 wrote to memory of 2788 800 QUOTATION.exe 30 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32 PID 800 wrote to memory of 2908 800 QUOTATION.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AWLIvgmtRIHlb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AWLIvgmtRIHlb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F8C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2908
-
Network
-
Remote address:8.8.8.8:53Requestwww.projectusf.comIN AResponsewww.projectusf.comIN A103.186.117.77
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
2.5kB 744 B 11 15
-
623 B 2.5kB 12 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD56367f2aca211c17f1b85a6ee2e6a5cb4
SHA11d29dcdd3c4187f554dda3f85561a7b991139a0a
SHA25697056c365cda8523614f0edefcc9c7f64407faa4216ee34e0c6bf10397ec932d
SHA512303523d002b68fd0d47269f7310d54e54d09e0c1ce22139dc8ff229cbc6dc27243935d2b2847ee148863f116ccea61e0b97cb5d0d6b21d1a737e26509d543282
-
Filesize
1KB
MD57eb1e57fb3b32a12decb122206661312
SHA1bddb5f1dc9627a1328e97affb39f06aca288b952
SHA256d818199ae640a12ea1d3f1123a39d169dc9b179c644cd4de626de5d671610ee0
SHA5122c736099214fd676e28e50e59a2dfc83c616b7a0aae0cf386290b7f9fa85c0f41fbe59aabb7e57d1fa924314db594f8824f58f0f3d322bd782b0f4039ad3aaf7