Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
5e0f540fbed81efe0941f8949498c92c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5e0f540fbed81efe0941f8949498c92c.exe
Resource
win10v2004-20241007-en
General
-
Target
5e0f540fbed81efe0941f8949498c92c.exe
-
Size
964KB
-
MD5
5e0f540fbed81efe0941f8949498c92c
-
SHA1
d2712dbb06910cd272d57ca6926f815f23dc2cad
-
SHA256
b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
-
SHA512
8bdd8fa363883e9243f1266fe7746ad201084303a20c3c74a604587766cf3c89681f940a44b298b7c52b01f389353547031a82936af8898236b5f4214e9f45a6
-
SSDEEP
24576:oMyNWpDUsl0uHw8LXqBlxZ1QZNAkvpnFDv0eiV:CmAg0uHyjZaP3frC
Malware Config
Extracted
remcos
RemoteHost
103.67.163.218:2298
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HLZ36K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2140 powershell.exe 2884 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2084 set thread context of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e0f540fbed81efe0941f8949498c92c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e0f540fbed81efe0941f8949498c92c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2084 5e0f540fbed81efe0941f8949498c92c.exe 2084 5e0f540fbed81efe0941f8949498c92c.exe 2140 powershell.exe 2884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2084 5e0f540fbed81efe0941f8949498c92c.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2140 2084 5e0f540fbed81efe0941f8949498c92c.exe 31 PID 2084 wrote to memory of 2140 2084 5e0f540fbed81efe0941f8949498c92c.exe 31 PID 2084 wrote to memory of 2140 2084 5e0f540fbed81efe0941f8949498c92c.exe 31 PID 2084 wrote to memory of 2140 2084 5e0f540fbed81efe0941f8949498c92c.exe 31 PID 2084 wrote to memory of 2884 2084 5e0f540fbed81efe0941f8949498c92c.exe 33 PID 2084 wrote to memory of 2884 2084 5e0f540fbed81efe0941f8949498c92c.exe 33 PID 2084 wrote to memory of 2884 2084 5e0f540fbed81efe0941f8949498c92c.exe 33 PID 2084 wrote to memory of 2884 2084 5e0f540fbed81efe0941f8949498c92c.exe 33 PID 2084 wrote to memory of 2752 2084 5e0f540fbed81efe0941f8949498c92c.exe 34 PID 2084 wrote to memory of 2752 2084 5e0f540fbed81efe0941f8949498c92c.exe 34 PID 2084 wrote to memory of 2752 2084 5e0f540fbed81efe0941f8949498c92c.exe 34 PID 2084 wrote to memory of 2752 2084 5e0f540fbed81efe0941f8949498c92c.exe 34 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37 PID 2084 wrote to memory of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kQKXdTJmc.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kQKXdTJmc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b905fb8552cb35b1f99f227c1de5dbc
SHA17c88c56119ea0422534546bbf93730d621d3fb9a
SHA25682f86b38d602ba32cf0d4eb86da6ec860193c4e337b2e823568fad33db80b597
SHA512d24844cf84af2a3178e6aca48a4762c1ac8837c9fb94c19878dd56f719e0b91e0f15389595b65a7249f07d2a8745d71225a192ec5c2f3cb5b84bd0852dd6def3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DMXQUZ67XXLQCD40ESYI.temp
Filesize7KB
MD5dd1e4d720806ab38ec2a1e64d7ab7be4
SHA1a3afbaae42c8b67047f78c616eb815c0d93f86ca
SHA256945e1569a0a97d4953a8a4235d2f716f3c42734a3a64563a338582f869a4df76
SHA512f1dc26ea5b655e56186064cc5481c2b8fdb17d1a6c83a695157d9b5caa61e92be02e9c8e1026362d6057399ca742920391f64da4878a6bd66ec5eb1283be39b8