73daddebaa6aae26beb4e568d1934e08514f235bfc04b2d3b5a7f8cf29d9589e

Resubmissions

26-09-2024 13:24

240926-qnm2assemb 10

26-09-2024 13:09

240926-qd4w3aydpk 10

Analysis

max time kernel
390s
max time network
394s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe
Size

482KB
MD5

599d0aacc8a8b93e5aa5a2eae248cb01
SHA1

7c12c80ebd48295dd21ec15be849ca22015e7d08
SHA256

08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e
SHA512

ee83365b54c8ea5a011734cecfec202df1a786ebaec98af977670d235b7cc7d3c7e38f2994e7e3daaa1167d309a41df84bff28495d07c23ca1a97077ce790feb
SSDEEP

6144:7Tz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4creT4:7TlrYw1RUh3NFn+N5WfIQIjbs/ZmtT4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2828	NETSTAT.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2828	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1592	08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe
2448	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	NETSTAT.EXE
Token: SeDebugPrivilege	2448	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe
2448	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1592	08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2828	1220	cmd.exe	32
PID 1220 wrote to memory of 2828	1220	cmd.exe	32
PID 1220 wrote to memory of 2828	1220	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe
"C:\Users\Admin\AppData\Local\Temp\08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\NETSTAT.EXE
  netstat -ano
  2⤵
  - System Network Connections Discovery
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:2828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
436B

MD5
4d56a4a4d9a0a3dd34b039e0c2a49c1d

SHA1
d7f66f69e424f0c5544ee06a7ec6d78073c072a0

SHA256
9430b2f8b82b005a41952ca68a4b1f8e9d5ccc55d5aff3d3468b8dbc40815363

SHA512
9937facf2415caa17a7983e8cefacc8ac0a9ad505edb11322bb6113b6bedd4608361d2bbd5c3535f586e0984739707dc17622e6172388ad2b27f25279a3c24ad

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
738B

MD5
c99b7d803f37f6d0642fa17b5075eb08

SHA1
63edb30cbc5a7c0a1c7023ae0748783474bb0797

SHA256
28482ddad5ef72c325e0af3a4fed1e5cb8d13c481a63ec1648e1f8508318cae9

SHA512
d33132da9de4743d50f103eba40fe2739971317704df8783b9b105d9eff530b7e57d5f08a3a64fe650536b18980ca9fdc8ce630b4ff10d804a8d4c9e9e9f6d90

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
802B

MD5
3b7983043768b79561f8f2fcef915694

SHA1
3f79449bca37a8fa8a79bd44cf49a721e97b6252

SHA256
51ac60abba4894a0d99526a61fa1fe51603b65ca1ece54014e034705a4040086

SHA512
9057361c57bd2829b8580ee35a485a82595a987e6616a5f8e0eef152f47ee0fdd86c08e66d14bc3c42d5d6dd996379e38c8c5f8b7a94e91cdab5e2b4ed4bda71

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
844B

MD5
2601afd571358f235c40550d2417c95e

SHA1
7a55255d02d029eaf42bb48a7e007305b624e7b4

SHA256
016ef8ab268871fd78cea22e24e57c4f568005bd731e6c569da4d9a706610fa5

SHA512
3bc411cdafad5c0f2d5d1b00d30d4d3c2d473457d6c699e3560e03f74932408243db9bd4728ffc4ee6d6e9a2c3e60852a8b89d65afc493849130fd1bd1f2fe5e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
866B

MD5
6fe3b9768589957c6143eb9c2923782c

SHA1
67dbb7e661811286cb6c473653757a28bbd37061

SHA256
57a25e1abd61db7ff0eed83442844560de5087f951cc8181a6e3a76299e2b651

SHA512
476528665ea9863aa52f17adde12f5af735a5fc13f41a694a435974eda06559aa76c5eef20ca9e1f3f0e28db3e361d0728b1a2a5bea1954ae9aa076f3b491f21

Download Submit
memory/2448-19-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2448-23-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2448-27-0x0000000001C90000-0x0000000001CA0000-memory.dmp

Filesize
64KB

Download