Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 19:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation Order.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Confirmation Order.exe
Resource
win10v2004-20240802-en
General
-
Target
Confirmation Order.exe
-
Size
892KB
-
MD5
3b13b07b05ea3f2084ee3c38080fffe3
-
SHA1
dde112544004281ad7d02b36c607bc4a258f22a6
-
SHA256
b93408af1dfa127e3b11d16cd92dab65f448d77fa933259c139bb0f0e6d33a75
-
SHA512
c09987d78d52fc94bc991b40380b6f5752f1b15139850d24ed93e9ea8ce74add4b4b477493fb8c0a6980de9e14fb511123e2571622c3c5a46f4402f09d037fe0
-
SSDEEP
12288:5Eqv8RratEshTEMAiqoWpVvfS4D36FUOJT02id9IV/SxjTWAY+acgp8bQbQk:J8OZTEMAifWTvfuL42id94cgGIQ
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59321
nnamoo.duckdns.org:59321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-41EVS0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1104 powershell.exe 2968 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1048 set thread context of 2612 1048 Confirmation Order.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Confirmation Order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Confirmation Order.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2968 powershell.exe 1104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1104 1048 Confirmation Order.exe 29 PID 1048 wrote to memory of 1104 1048 Confirmation Order.exe 29 PID 1048 wrote to memory of 1104 1048 Confirmation Order.exe 29 PID 1048 wrote to memory of 1104 1048 Confirmation Order.exe 29 PID 1048 wrote to memory of 2968 1048 Confirmation Order.exe 31 PID 1048 wrote to memory of 2968 1048 Confirmation Order.exe 31 PID 1048 wrote to memory of 2968 1048 Confirmation Order.exe 31 PID 1048 wrote to memory of 2968 1048 Confirmation Order.exe 31 PID 1048 wrote to memory of 2552 1048 Confirmation Order.exe 32 PID 1048 wrote to memory of 2552 1048 Confirmation Order.exe 32 PID 1048 wrote to memory of 2552 1048 Confirmation Order.exe 32 PID 1048 wrote to memory of 2552 1048 Confirmation Order.exe 32 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35 PID 1048 wrote to memory of 2612 1048 Confirmation Order.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bDXSeyoVzkpA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bDXSeyoVzkpA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD144.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:908
Network
-
Remote address:8.8.8.8:53Requestnnamoo.duckdns.orgIN AResponsennamoo.duckdns.orgIN A103.186.117.126
-
Remote address:8.8.8.8:53Requestnnamoo.duckdns.orgIN AResponsennamoo.duckdns.orgIN A103.186.117.126
-
Remote address:8.8.8.8:53Requestnnamoo.duckdns.orgIN AResponsennamoo.duckdns.orgIN A103.186.117.126
-
152 B 120 B 3 3
-
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 80 B 3 2
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
-
152 B 80 B 3 2
-
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 120 B 3 3
-
-
152 B 40 B 3 1
-
-
104 B 2
-
64 B 80 B 1 1
DNS Request
nnamoo.duckdns.org
DNS Response
103.186.117.126
-
64 B 80 B 1 1
DNS Request
nnamoo.duckdns.org
DNS Response
103.186.117.126
-
64 B 80 B 1 1
DNS Request
nnamoo.duckdns.org
DNS Response
103.186.117.126
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e42588a1880ed05c4e523618d1e075d3
SHA19690d29796255b5f970542195b82c0d053ecf904
SHA2567aad57a698c934ffd0d95e1b4f7cbb43a26292af506dd247c70630aad9acaad8
SHA5124cae60e10628ba522079bfa827915baed11f426fcfa529bde83c70dd5bfbc6a3a34d54e5089a0842826b270b732c4b6b6c54e355dbc2726770b5f52791afaefd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e2e21df7abb06ac4e33ed18185c319c1
SHA1329656f524618018067a9b03630468543d7fb626
SHA256fc7b6d03a0783ba0b8dd7972cb932833d07207f4c68ae9504713b70187fe0e88
SHA5126ec205a2b03a62a4a42aaec39b76a14aaf61a09519296bb41cdd5ba2800d642bb892cfdba9293b7828d97769ea4259c9e978a551059b33be0576e337a7f8f018