5e0ccd493f01f7cde38bd8b42ad3ab0fadd00b1970f9f1b7e8204dfdc000436f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReMouseStandard-Setup.exe
Size

5.4MB
MD5

af5e828d540131192c4467424306a35e
SHA1

76e1bb985e723a68aa89a4befbc6bd4f13e0b6ee
SHA256

5e0ccd493f01f7cde38bd8b42ad3ab0fadd00b1970f9f1b7e8204dfdc000436f
SHA512

9b087d75b79f0841bee65b635f52452d2a805a438e7ed0f1947e49cace78b122620f95eb9ded67992425143591aed14d5175025c5f34c695c4fe1857808fd289
SSDEEP

98304:w59KDJowUykzN5k2IQfo+KIa86OXh7xz0TV60hgNnqmWUp5FTurs57UxGQEdCddm:fFowjgN5bLKIaC7xg5j+hd7FTuIp9ktm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1724	ReMouseStandard-Setup.tmp
1956	ReMouse.exe

Loads dropped DLL 10 IoCs

pid	Process
1716	ReMouseStandard-Setup.exe
1724	ReMouseStandard-Setup.tmp
1724	ReMouseStandard-Setup.tmp
1724	ReMouseStandard-Setup.tmp
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000191f6-52.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReMouseStandard-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReMouseStandard-Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReMouse.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AutomaticSolution Software\\ReMouse Standard\\conf\\ext\\filetype.ico\""	ReMouse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\ = "ReMouse File"	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\DefaultIcon	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell\open	ReMouseStandard-Setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AutomaticSolution Software\\ReMouse Standard\\ReMouse.exe\" \"%1\""	ReMouseStandard-Setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\ = "ReMouse File"	ReMouse.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.rms	ReMouseStandard-Setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.rms\ = "rmsfile"	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.rms	ReMouse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.rms\ = "rmsfile"	ReMouse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AutomaticSolution Software\\ReMouse Standard\\ReMouse.exe\" \"%1\""	ReMouse.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell\open\command	ReMouse.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile	ReMouseStandard-Setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\AutomaticSolution Software\\ReMouse Standard\\conf\\ext\\filetype.ico"	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell\open\command	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\shell	ReMouseStandard-Setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile	ReMouse.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\rmsfile\DefaultIcon	ReMouse.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1724	ReMouseStandard-Setup.tmp
1724	ReMouseStandard-Setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	ReMouse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1724	ReMouseStandard-Setup.tmp
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe
1956	ReMouse.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	ReMouse.exe
1956	ReMouse.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1716 wrote to memory of 1724	1716	ReMouseStandard-Setup.exe	30
PID 1724 wrote to memory of 1956	1724	ReMouseStandard-Setup.tmp	33
PID 1724 wrote to memory of 1956	1724	ReMouseStandard-Setup.tmp	33
PID 1724 wrote to memory of 1956	1724	ReMouseStandard-Setup.tmp	33
PID 1724 wrote to memory of 1956	1724	ReMouseStandard-Setup.tmp	33

C:\Users\Admin\AppData\Local\Temp\ReMouseStandard-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ReMouseStandard-Setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\is-ORGVJ.tmp\ReMouseStandard-Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ORGVJ.tmp\ReMouseStandard-Setup.tmp" /SL5="$5014E,5359530,57856,C:\Users\Admin\AppData\Local\Temp\ReMouseStandard-Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse.exe
    "C:\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\conf\ext\app_ico.ico

Filesize
112KB

MD5
61a64215a9f924a636c6518e04514391

SHA1
40448fdbb261e29db28cc3a4732f88e8802a72cc

SHA256
43cb0559c6f67133c9f43ffbfc9e0ec20bd2ee16fc6a4cc21be26cbc15c6dd20

SHA512
fe1224aedffa7907e6c9c903bee74d194cf04bce2f61f630c174c80aa626474c9c90bd564fdc2814ffa1b46e463c8e564b1081b3ff2b13d740c0b46e1d19c56b

Download Submit
C:\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\conf\ext\mskbcodes.ini

Filesize
2KB

MD5
137eb2bae98810f3c549813e3832b3e4

SHA1
556f2983410fc22502c29e612003013051766486

SHA256
629fbdca845cb530c5335675f85ce6b517d4c2b961874e317b869ae4c706699b

SHA512
80539c43730d56c02df9a8fd229395e648b9f35faf24c9044b801884d9b29a7fa0df0b8a66851fb4cc8319eaf70c726ebef7f4ca4ac8b318cf1dc5cfaa502344

Download Submit
C:\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\conf\rms_conf.ini

Filesize
435B

MD5
f9107282ad3e82b1160e1ace323f358e

SHA1
b0a5ee7380d7d70b4ca307313d1b093b858312fd

SHA256
649ccfa8a0d93c02fd5d6b1cf2db4a0fa4b828810540823a68f6a7c6dd286ac4

SHA512
3a068f39cd42f1049e9b19cada95124d7d936f90068ddafc1999fd6c5c40ba25fe458fcf19eafe0cd6d601d973b76a0a82e0a97d8ae525c0accab0581f456e23

Download Submit
\Users\Admin\AppData\Local\Temp\is-ORGVJ.tmp\ReMouseStandard-Setup.tmp

Filesize
697KB

MD5
832dab307e54aa08f4b6cdd9b9720361

SHA1
ebd007fb7482040ecf34339e4bf917209c1018df

SHA256
cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3

SHA512
358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49

Download Submit
\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\ReMouse.exe

Filesize
1.3MB

MD5
f3b864b4fc3e090e8ad3ead18a2c20f3

SHA1
a3f627b76d6f5cbf6d3b4d559a9aea89241f6130

SHA256
b5dfb4e59f1764bad01615d94ace06b7c45d4d51d36bbc0f9cbafc2762e47906

SHA512
629ce00bdca3975b9f396915106397ca58a3117e566af902c1aaa4ab7f6f19f66cdd513879ac3543dfa589b3060d8a8b96bdb20e8a0c1049d1abb1f6e1ab1960

Download Submit
\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\conf\ext\icons.dll

Filesize
169KB

MD5
32ee6173f137080755bb5127e39ace9e

SHA1
e9c2bc7f5388ce262e2e2ada5637cc2884b7bcbc

SHA256
fe1ea3f712f6883025ecd8cd9553ff0e26189110bdc059a304305b14278d1726

SHA512
191201f067ecb39f8d0e9aa0c4e8a312b660039132d7354448794498cea405ee4f2e691398443717fb35ca32aa88ea628c583a10cb55e698b2bf0097995265e8

Download Submit
\Users\Admin\AppData\Roaming\AutomaticSolution Software\ReMouse Standard\unins000.exe

Filesize
708KB

MD5
95edcb135fd8ae184ff9b604beb77f13

SHA1
44ec750786b4b1ef782942ed49db1cff14a368f6

SHA256
4c62259f8797612fd58e154ff9e5ba7fe114bcbf5fd310f2c9b2a013f2b84013

SHA512
03e513a1aac3e1f171155e89dfce5eeaf5c303aac86068a360a4ebb4465a9078b8a2e0eff41e0966d6737fdea16faea30747c3c90c5557f64ee62efe165f5e1e

Download Submit
memory/1716-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1716-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1716-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1724-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1724-77-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download