Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
UsoOuMVYCv8QrxG.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
UsoOuMVYCv8QrxG.exe
Resource
win10v2004-20240802-en
General
-
Target
UsoOuMVYCv8QrxG.exe
-
Size
908KB
-
MD5
fce19affe7db15edd2b851ea84cd37ad
-
SHA1
143e9f5102833d028aca51437854e4a56f1dde11
-
SHA256
26ed62c404f08cb73c5f52cf8df52546a0c69bef2c50a577afa65a515da0cb22
-
SHA512
6046d7e2848132ee293a5b507dd76f84d506d4ed2e3673fb9a8bb5fa2d5645c6920de81f1c84f5fa3ee0b493b2c1941be7f37d650de27cec2b3b9113d820ab7d
-
SSDEEP
24576:pIK++j3zMXN4nH3o4Tps96bSKVZgbI0Nrs4kWAh:7jDkN4nH3/pw6bSKVebI0wT
Malware Config
Extracted
remcos
RemoteHost
192.3.64.152:2559
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TS121V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4280 set thread context of 4400 4280 UsoOuMVYCv8QrxG.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UsoOuMVYCv8QrxG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UsoOuMVYCv8QrxG.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89 PID 4280 wrote to memory of 4400 4280 UsoOuMVYCv8QrxG.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\UsoOuMVYCv8QrxG.exe"C:\Users\Admin\AppData\Local\Temp\UsoOuMVYCv8QrxG.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\UsoOuMVYCv8QrxG.exe"C:\Users\Admin\AppData\Local\Temp\UsoOuMVYCv8QrxG.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4400
-
Network
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request152.64.3.192.in-addr.arpaIN PTRResponse152.64.3.192.in-addr.arpaIN PTR192-3-64-152-hostcolocrossingcom
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
3.3kB 1.5kB 13 16
-
623 B 1.3kB 12 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
71 B 119 B 1 1
DNS Request
152.64.3.192.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
24.58.20.217.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa