Overview
overview
10Static
static
3setfsb/Creator.xls
windows7-x64
3setfsb/Creator.xls
windows10-2004-x64
1setfsb/WinRing0.dll
windows7-x64
3setfsb/WinRing0.dll
windows10-2004-x64
3setfsb/WinRing0.sys
windows7-x64
1setfsb/WinRing0.sys
windows10-2004-x64
1setfsb/Win...64.sys
windows7-x64
1setfsb/Win...64.sys
windows10-2004-x64
1setfsb/setfsb.exe
windows7-x64
10setfsb/setfsb.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
setfsb/Creator.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
setfsb/Creator.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setfsb/WinRing0.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
setfsb/WinRing0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setfsb/WinRing0.sys
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setfsb/WinRing0.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setfsb/WinRing0x64.sys
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
setfsb/WinRing0x64.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setfsb/setfsb.exe
Resource
win7-20240903-en
General
-
Target
setfsb/setfsb.exe
-
Size
3.0MB
-
MD5
3cd8c8422b497b7767c17be00a3617c9
-
SHA1
295b9ec152b097b10c9bdcf152c4694d73d6921c
-
SHA256
8b950c17cd699378034ef7fbf61cf7ecedebbb831ef7bfc3b8e2f139bfa35e06
-
SHA512
438bcb6738356a6ac7ff61a6a1c0980e291b9b08ca81417398cc69e40d71ec7c1dba0861ec72e0c74ff2a2bd33ccbcf58d59756c3dd67fb9ef43fd8d9ef598fe
-
SSDEEP
49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338K:t92bz2Eb6pd7B6bAGx7n333l
Malware Config
Extracted
remcos
New
95.217.148.142:9004
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
SSS1ooosSAweewwe-X6B4E4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation setfsb.exe -
Executes dropped EXE 3 IoCs
pid Process 4172 setfsb.exe 904 scr_previw.exe 3676 scr_previw.exe -
Loads dropped DLL 2 IoCs
pid Process 904 scr_previw.exe 3676 scr_previw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3676 set thread context of 1540 3676 scr_previw.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scr_previw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setfsb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setfsb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setfsb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scr_previw.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3488 setfsb.exe 3488 setfsb.exe 904 scr_previw.exe 3676 scr_previw.exe 3676 scr_previw.exe 1540 cmd.exe 1540 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3676 scr_previw.exe 1540 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3488 setfsb.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2580 wrote to memory of 3488 2580 setfsb.exe 86 PID 2580 wrote to memory of 3488 2580 setfsb.exe 86 PID 2580 wrote to memory of 3488 2580 setfsb.exe 86 PID 3488 wrote to memory of 4172 3488 setfsb.exe 88 PID 3488 wrote to memory of 4172 3488 setfsb.exe 88 PID 3488 wrote to memory of 4172 3488 setfsb.exe 88 PID 3488 wrote to memory of 904 3488 setfsb.exe 89 PID 3488 wrote to memory of 904 3488 setfsb.exe 89 PID 3488 wrote to memory of 904 3488 setfsb.exe 89 PID 904 wrote to memory of 3676 904 scr_previw.exe 90 PID 904 wrote to memory of 3676 904 scr_previw.exe 90 PID 904 wrote to memory of 3676 904 scr_previw.exe 90 PID 3676 wrote to memory of 1540 3676 scr_previw.exe 95 PID 3676 wrote to memory of 1540 3676 scr_previw.exe 95 PID 3676 wrote to memory of 1540 3676 scr_previw.exe 95 PID 3676 wrote to memory of 1540 3676 scr_previw.exe 95 PID 1540 wrote to memory of 3488 1540 cmd.exe 109 PID 1540 wrote to memory of 3488 1540 cmd.exe 109 PID 1540 wrote to memory of 3488 1540 cmd.exe 109 PID 1540 wrote to memory of 3488 1540 cmd.exe 109 PID 1540 wrote to memory of 3488 1540 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe" /VERYSILENT2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe"C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Users\Admin\AppData\Roaming\scr_previw.exe"C:\Users\Admin\AppData\Roaming\scr_previw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exeC:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:3488
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5045726669f3b5d66049ff4d9c397e816
SHA126d79181e0d08aa824d734c4efbc4c10628b66e5
SHA2568f7975598a05f4937a7259eacd68fa46e6cc875830eecdef8fe593a23b31c5c8
SHA512eae64a98109f8a16881049d126f6f518ab17770a6052a5ff6ba97892417aea07a18e4289afe547995904bc1245a5dc1e06069c4ba1157ab46844362cb0ccf3b9
-
Filesize
947KB
MD5a727c368e3a6c273f28c80607f2df861
SHA1a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d
-
Filesize
1.9MB
MD5e8ad346c114fda96fca288966eae8e92
SHA1fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA2567e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549
-
Filesize
15KB
MD5162ba47ec20e7fb580672579a6fef9d2
SHA1a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4
-
Filesize
2.2MB
MD5d9530ecee42acccfd3871672a511bc9e
SHA189b4d2406f1294bd699ef231a4def5f495f12778
SHA25681e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980
-
Filesize
1.2MB
MD506d6023afb0ad4a828637863ba67277f
SHA1393a8ea1e0ae4d5d2c4934850b996ec0618d4a90
SHA2560f52243a7916d0b453be438133be2d55cf7da381c34f751ee8d593c10ab00168
SHA5122e9e683bd3ae8987181cd2d8aa36134674adf81f540f035f8ff8780de67ff753202ba2b806e878bf17a4e1387f172c189682022e216df31b1c591fb1f2536a96