Analysis
-
max time kernel
128s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Resource
win10v2004-20241007-en
General
-
Target
Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
-
Size
6.9MB
-
MD5
d15499b47bac23ac6c8f5f702fb21a24
-
SHA1
b8ee221f0025fc5d21b3c90d977e66fb0af91f63
-
SHA256
88c9ac51024b2d980e1076795b99f22be6c6a99e9cbc195531c65deeeae6381d
-
SHA512
eb927e17e4468c0bcf0e4e66dd109ec94f3810b095e8b3106dc50753a84f4f67416f21923adb2caaaafb430cfacc1eef1e3817f52e564db4a7785fad16ae29e0
-
SSDEEP
98304:/XTFjm3UAtTlMPoWXCo0B4nDk1vmp28nnnYFpyy3xjxTzCv/XLU:/XTFjm3TtTlMPoW4B95mpsdxVCvf4
Malware Config
Extracted
remcos
ROJO
nuevodntestchec.addns.org:3018
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
data
-
mouse_option
false
-
mutex
jjajbsfbisfablklsafg-LEIC4X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UnuKick = "C:\\Users\\Admin\\Videos\\Kick\\VideoUnu.exe" Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1788 set thread context of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 4448 set thread context of 3812 4448 csc.exe 95 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4448 csc.exe 4448 csc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4448 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3812 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1788 wrote to memory of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 1788 wrote to memory of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 1788 wrote to memory of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 1788 wrote to memory of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 1788 wrote to memory of 4448 1788 Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe 93 PID 4448 wrote to memory of 5640 4448 csc.exe 94 PID 4448 wrote to memory of 5640 4448 csc.exe 94 PID 4448 wrote to memory of 5640 4448 csc.exe 94 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 4448 wrote to memory of 3812 4448 csc.exe 95 PID 3812 wrote to memory of 5888 3812 MSBuild.exe 98 PID 3812 wrote to memory of 5888 3812 MSBuild.exe 98 PID 3812 wrote to memory of 5888 3812 MSBuild.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe"C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵PID:5640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dgzaswrowflohczggavxhg.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:5888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD51f7eb09e0c6bac0673ebcc3e8a69ca43
SHA19bae1f4251cc13e7129501cce58d590dd963ecf5
SHA256d546db9b1b42fa64cf820ec0ed4abb96e482647edf33a70c94e19c99754040b3
SHA5120bdd4ab1f8aa7f2de86137f0f480df91cfbe291ee235012e1739d5e546fdd37d2f7628cf6ab3232b5f96cda145f7bdb5e747528b4b5e1e44541e337372fd9f10
-
Filesize
374B
MD592323d5eafdd057f2602a2a0b5f5230e
SHA19498775850b22af3303ce67d042c7cf3925b396b
SHA25652512978ad3bd19b5bbc6a332b2cc7635947c9f29979f746f406161ffb3ac34a
SHA512268d4fe79242535278a9ca3396d1e39f9be88285a4ea01304bd39415728e07e5d9b8392a778732ab3b65ab050aa6aa6aadf6f4d1443b39605763fc380637bb5c