Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
1d818c67cd7b934a84588a3207b2e50a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1d818c67cd7b934a84588a3207b2e50a.exe
Resource
win10v2004-20240802-en
General
-
Target
1d818c67cd7b934a84588a3207b2e50a.exe
-
Size
879KB
-
MD5
1d818c67cd7b934a84588a3207b2e50a
-
SHA1
f143719dafea314eb6ae638e9a7694da54c3a445
-
SHA256
932c8687387b5fa94ef7b5c11358b0d0dc90ea488729382e09ec126d61457d6d
-
SHA512
41e68271ed5c52427c1e9953bc3ac9c0562541a186a6a44712602dd88968fdd2d896f3c56dccc39dac512c9885e0eb9c194d26f148ce484418b001d1bf60401e
-
SSDEEP
24576:Ovd+fC6BjsHpE+dOj+18tyAgajKCzMlTyFjSIi0/:O1+a6NsHp3MlhOGM1mO0/
Malware Config
Extracted
remcos
RemoteHost
www.c42staging.com:2404
www.vdoclabs.com:2404
www.ozkol-aluminyum.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
dfghj
-
mouse_option
false
-
mutex
Rmc-QCH1J0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2356 powershell.exe 2668 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2140 set thread context of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d818c67cd7b934a84588a3207b2e50a.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2356 powershell.exe 2668 powershell.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe 2140 1d818c67cd7b934a84588a3207b2e50a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2140 1d818c67cd7b934a84588a3207b2e50a.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2044 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2356 2140 1d818c67cd7b934a84588a3207b2e50a.exe 30 PID 2140 wrote to memory of 2356 2140 1d818c67cd7b934a84588a3207b2e50a.exe 30 PID 2140 wrote to memory of 2356 2140 1d818c67cd7b934a84588a3207b2e50a.exe 30 PID 2140 wrote to memory of 2356 2140 1d818c67cd7b934a84588a3207b2e50a.exe 30 PID 2140 wrote to memory of 2668 2140 1d818c67cd7b934a84588a3207b2e50a.exe 32 PID 2140 wrote to memory of 2668 2140 1d818c67cd7b934a84588a3207b2e50a.exe 32 PID 2140 wrote to memory of 2668 2140 1d818c67cd7b934a84588a3207b2e50a.exe 32 PID 2140 wrote to memory of 2668 2140 1d818c67cd7b934a84588a3207b2e50a.exe 32 PID 2140 wrote to memory of 2608 2140 1d818c67cd7b934a84588a3207b2e50a.exe 34 PID 2140 wrote to memory of 2608 2140 1d818c67cd7b934a84588a3207b2e50a.exe 34 PID 2140 wrote to memory of 2608 2140 1d818c67cd7b934a84588a3207b2e50a.exe 34 PID 2140 wrote to memory of 2608 2140 1d818c67cd7b934a84588a3207b2e50a.exe 34 PID 2140 wrote to memory of 2560 2140 1d818c67cd7b934a84588a3207b2e50a.exe 36 PID 2140 wrote to memory of 2560 2140 1d818c67cd7b934a84588a3207b2e50a.exe 36 PID 2140 wrote to memory of 2560 2140 1d818c67cd7b934a84588a3207b2e50a.exe 36 PID 2140 wrote to memory of 2560 2140 1d818c67cd7b934a84588a3207b2e50a.exe 36 PID 2140 wrote to memory of 1104 2140 1d818c67cd7b934a84588a3207b2e50a.exe 37 PID 2140 wrote to memory of 1104 2140 1d818c67cd7b934a84588a3207b2e50a.exe 37 PID 2140 wrote to memory of 1104 2140 1d818c67cd7b934a84588a3207b2e50a.exe 37 PID 2140 wrote to memory of 1104 2140 1d818c67cd7b934a84588a3207b2e50a.exe 37 PID 2140 wrote to memory of 2928 2140 1d818c67cd7b934a84588a3207b2e50a.exe 38 PID 2140 wrote to memory of 2928 2140 1d818c67cd7b934a84588a3207b2e50a.exe 38 PID 2140 wrote to memory of 2928 2140 1d818c67cd7b934a84588a3207b2e50a.exe 38 PID 2140 wrote to memory of 2928 2140 1d818c67cd7b934a84588a3207b2e50a.exe 38 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39 PID 2140 wrote to memory of 2044 2140 1d818c67cd7b934a84588a3207b2e50a.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wTTruYPumnUe.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTTruYPumnUe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD56bcf083bec6d034e015a17bb0ff40436
SHA157ecedd952353a95a8e2cdf6458ef50f4dcd9e2c
SHA25623a510ecc92103ae6e47f105634f3c01afff6222951c6c21ce9c704c47490d90
SHA512eed7c52c038e5c666d53a0d1f2a8fe814827fcc2aff728de9e911923a3ff0596077d8bf14c0b922810190f4897640d3628083730caedce20e494d2a3a5f00da0
-
Filesize
1KB
MD5ad2faadc4e62c92e5cd846d22f99533c
SHA1d0032f6c9768174bb694fe56462a882abe39acb8
SHA256362218ab7a3c1b17b80fe63bf1493663c536bc3c0ecd3b0c3eb556920537b08f
SHA512ca71c7075bea0a3d8e1b999476d91bb7474668e7cecc7868d293a1411b01655bf784fd4b499eecfe47c85fea1ac68a14ee64d9c279c8083c142410159de151a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55267018f40accf4062544dd7b8e875ee
SHA1f5e71884a19e1a736c3b94c73af86ae4d7a3ddff
SHA256e8c36c604474a39148ebf2925c219e34c22e34cd13e700710952739939693832
SHA51225f8e6efebc913469cd18446464be03943dbd9341e088812bdfbeeeacc753062062e19f1635c2b7de96324c607f73a5210670258b61c020d6fd2516a5b67092e