Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Resource
win10v2004-20241007-en
General
-
Target
bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
-
Size
916KB
-
MD5
7c9117e9ec6db111cf1f67d512b5e800
-
SHA1
8b88b24bf4893a9c1dff2f79425f4cbea4a79bd5
-
SHA256
bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178f
-
SHA512
a4cf30a429ebb4f2533538f51ef0314f7993b653a5989bac51d944eb4c163dc16745e858ddc81bbe400bce80f4ee839fb876abacc1dede69b491375fd0767cb2
-
SSDEEP
24576:bMyqk7d8gE/KTudG5Zl75eJzKo8BYttZ7npS4d:XZ8gE/KSdyT5u+fB6TpSo
Malware Config
Extracted
remcos
RemoteHost
alibabaforwader.duckdns.org:60247
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6XDESO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2556 powershell.exe 2712 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2996 set thread context of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 2556 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1704 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2712 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 31 PID 2996 wrote to memory of 2712 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 31 PID 2996 wrote to memory of 2712 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 31 PID 2996 wrote to memory of 2712 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 31 PID 2996 wrote to memory of 2556 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 33 PID 2996 wrote to memory of 2556 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 33 PID 2996 wrote to memory of 2556 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 33 PID 2996 wrote to memory of 2556 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 33 PID 2996 wrote to memory of 2564 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 35 PID 2996 wrote to memory of 2564 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 35 PID 2996 wrote to memory of 2564 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 35 PID 2996 wrote to memory of 2564 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 35 PID 2996 wrote to memory of 2356 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 37 PID 2996 wrote to memory of 2356 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 37 PID 2996 wrote to memory of 2356 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 37 PID 2996 wrote to memory of 2356 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 37 PID 2996 wrote to memory of 2080 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 38 PID 2996 wrote to memory of 2080 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 38 PID 2996 wrote to memory of 2080 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 38 PID 2996 wrote to memory of 2080 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 38 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39 PID 2996 wrote to memory of 1704 2996 bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pNlkzRsCluNDj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNlkzRsCluNDj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"2⤵PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"2⤵PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5db5c99165c97b6ebb4631a4b8a722314
SHA1992b11cc3647961e2db1b1427ac0b44e48cff822
SHA256cb00967f3dab226ed269b8a8173123696221533bf5f918170ef76449b41874db
SHA512ef681cfaf1feb986bfe312a9c887381b76b662c8346e642f0cb705dfd377047d43d417e43a97716633c1e134a99b35e3f6aa0f13ef81785af512272b8ae17b36
-
Filesize
1KB
MD55257e9afa22fcea88d5b6ed4a204c3cb
SHA1b845371f8f35c23ee5570400c0c0616af3f54105
SHA2567d8cace133d9d7977d548f07eb4ae1004b315c7296be00ba08a64c7ceddd6d24
SHA512229e6687d52208d85be521c13629effccb91e8eae980dd85fa4d22cbf8a4e18f1132b536c2230553985357f0166ae8f81d392f161897fdcaa9c213e10587165b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ec6fd60c69064eaf4ffbefc8f4490342
SHA1c5f6737fd83cbe564c220f595b41933d108518e2
SHA256f764837eb744bcfe6ecc1837c80f3ea02d30562ffe00e364589eeea7d24326f9
SHA5123fbf6cf718538fad95a4ffbafdbfc4f2417cdc7a69fdc5d6d142151bcc0fe5fa4d0662fbf58b2a450d717d3ecee2ceebe3fb7f495cf18b368599cba20927cef5