Analysis
-
max time kernel
180s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe
Resource
win7-20240903-en
General
-
Target
2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe
-
Size
5.2MB
-
MD5
8cb9e46a08c436f772738ad5708a8ec5
-
SHA1
d7672934e1ec81f3f1d1e59a06556b641e97c69a
-
SHA256
1f12c1cbc308e400ba5eca71443f8dc41162be0c0a59afd60a04cc6bb7705f5d
-
SHA512
b001d3a78006b4d45e1041939ac0ea940db3de886e5fb68defe40e2466bd5b94b8da213ac48ead29054de5001ba7cc89bdd3dab85acf4367a14551e158d0e90a
-
SSDEEP
98304:vLfK1AYizQPQo006Jr2qenjIsQZdZK/++cy5u7rwIGPZr:ri8QIo05gnjIsMu2bdrwIGPZr
Malware Config
Extracted
remcos
ORO
noviembre14.ydns.eu:2708
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-J4BNGW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2056 created 3464 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 54 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Next.vbs 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 bitbucket.org 14 bitbucket.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2056 set thread context of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe Token: SeDebugPrivilege 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2192 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92 PID 2056 wrote to memory of 2192 2056 2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe"C:\Users\Admin\AppData\Local\Temp\2082-1220- SEGUNDA INSTANCIA No. 7590-2024.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD522cb72eaafa214bec41fe9d1190b749a
SHA1a63955e7e29d1646b4b64fd55e21c1a598ad0ea9
SHA2566d69ce8ed9b79ac373374e9890172463f646f914d0f0327ca6851a045af23ef6
SHA51226bc46972a4bf7ef2e2c16defa30823d352c5423a808e4573a81f4b65fa205ea5d5989f1081a971aaabf61c9aa51d5d2e97fd630d5f6975629adf405027a5f4f