Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe
Resource
win7-20241010-en
General
-
Target
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe
-
Size
1.2MB
-
MD5
5699d5b44379624ebc78078a1b85e18c
-
SHA1
ec5c17b3d75b17ecac13189411c947a2e702d2bf
-
SHA256
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
-
SHA512
db80b2bf2fba5ca707c34b3b96b37cc6f1b07d3ea932e8a1cf18dcbd0c14de264dc30b04aa079666aa1f6a37999d78a7b6bc6ba658486f241801e53e3dbe8ab5
-
SSDEEP
24576:xbS0RhM8VtCAsdn3x4K30AHc/nVHwOsG91VT9LcsikZeHoi+oYjqm2Z:VXh5AN3xN30AHc/V6G9n5KaAZpZ
Malware Config
Extracted
remcos
host_one
101.99.94.69:2404
101.99.94.69:8090
101.99.94.69:44444
101.99.94.69:80
101.99.94.69:21
101.99.94.69:4899
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
rmc
-
mouse_option
false
-
mutex
Rmc-UP4CTA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Lucas.pifdescription pid process target process PID 3084 created 3424 3084 Lucas.pif Explorer.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Lucas.pifpid process 3084 Lucas.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4372 tasklist.exe 4320 tasklist.exe -
Drops file in Windows directory 5 IoCs
Processes:
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exedescription ioc process File opened for modification C:\Windows\ConcreteChaos 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe File opened for modification C:\Windows\RespondingBeans 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe File opened for modification C:\Windows\PostsPatrick 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe File opened for modification C:\Windows\DesignerQuiet 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe File opened for modification C:\Windows\HardwoodBrochure 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeLucas.pifchoice.exe06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.execmd.exetasklist.execmd.execmd.exefindstr.exetasklist.exefindstr.exefindstr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lucas.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Lucas.pifpid process 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 4372 tasklist.exe Token: SeDebugPrivilege 4320 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Lucas.pifpid process 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Lucas.pifpid process 3084 Lucas.pif 3084 Lucas.pif 3084 Lucas.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Lucas.pifpid process 3084 Lucas.pif -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.execmd.exeLucas.pifdescription pid process target process PID 4988 wrote to memory of 4360 4988 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe cmd.exe PID 4988 wrote to memory of 4360 4988 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe cmd.exe PID 4988 wrote to memory of 4360 4988 06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe cmd.exe PID 4360 wrote to memory of 4372 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 4372 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 4372 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 4876 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 4876 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 4876 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 4320 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 4320 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 4320 4360 cmd.exe tasklist.exe PID 4360 wrote to memory of 1916 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 1916 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 1916 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 2824 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 2824 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 2824 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 2608 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 2608 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 2608 4360 cmd.exe findstr.exe PID 4360 wrote to memory of 1648 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 1648 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 1648 4360 cmd.exe cmd.exe PID 4360 wrote to memory of 3084 4360 cmd.exe Lucas.pif PID 4360 wrote to memory of 3084 4360 cmd.exe Lucas.pif PID 4360 wrote to memory of 3084 4360 cmd.exe Lucas.pif PID 4360 wrote to memory of 3520 4360 cmd.exe choice.exe PID 4360 wrote to memory of 3520 4360 cmd.exe choice.exe PID 4360 wrote to memory of 3520 4360 cmd.exe choice.exe PID 3084 wrote to memory of 1500 3084 Lucas.pif cmd.exe PID 3084 wrote to memory of 1500 3084 Lucas.pif cmd.exe PID 3084 wrote to memory of 1500 3084 Lucas.pif cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe"C:\Users\Admin\AppData\Local\Temp\06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Kits Kits.bat & Kits.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6034234⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "speechesdjexpandingsoviet" Controllers4⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Southampton + ..\Transition + ..\Mars + ..\Paying + ..\Clay + ..\Usually + ..\Fighters + ..\Disposition + ..\Models + ..\Semester s4⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pifLucas.pif s4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:3520
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\DesignInno Innovations\InnoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5baa9139f4c084ce1ddcc4e0fe610efa2
SHA1c9fef7e62bc36bcd57145c77e23a3e235a54e7b6
SHA256dce613d06417a77d9456e079a87702043b1da80eb537b98dbc71ac60f09d3141
SHA512ae39628eea0df75412f5c1887bb9eaf3654b04afed0c507393e577df0972f86f4306b50127efe39a012299c29ed22165a9b600069bb7557431f8844b363b52b1
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
713KB
MD5a61cd75428195955c56a9eef603912ce
SHA18e8d3aa2e563765617254aa949f8b6c274bb0a83
SHA2568c9e7ab10c40aaea832b0c5704108f9390c5982bd25a32c8602794613b4e9cd4
SHA512227023389522767a8739e30e39bf702df11f724cf7f7c65f24ba8de3036fc627073d8e2b64ad250911e587eca3867a92a3619c96fa349b5781fd31da9974d0e5
-
Filesize
94KB
MD508d48bb5a4e1c7a5a6ccec11c1a6cb68
SHA13d609ee87ca224a316227a8225b0f5ffe465aa98
SHA256d1aae1434e502cea9556e394ce892df5407af5f1110222d6303032f792ed57fd
SHA51219c7b4236b6e06b5d909b326ef73435d7e864f2c345adae1dd10f1af4f2b6a68d46c8339d9c0f17d00fc4a2947dcfccb1e8dbd1e9fbd29872ef65d61587c991f
-
Filesize
5KB
MD5630673fea68bda5ce7750d0bacb5ff0e
SHA1ca24cfdd26fe66409230e5e1509f86d2bc3a0ba5
SHA256be6a1c82eae77cf9bbaabefa38e652236a31317ccbf9f9f2387f4155b871a33d
SHA5123a96dee0f6141f7d84aa3fd475a837c0dcf4d7afde871f87fde8c1199fb5514628b9d7efb05d3b720fd8e22166e44467e5863fdfa197193b7e3c04dd917084c7
-
Filesize
56KB
MD564be2aa6b09b4d3b1ae7f5496dc50d36
SHA1d74a4209344293473d5ba7ec8f044419ca140b5d
SHA2565773776eb34d9b7cf9efb47ff33655462607bcad9eafed7e3d27f192667b9944
SHA512c9dae81739761f34ba9a1dcc16d484a76032b888954615884e70dff5fc9259dba7a89acfe0144cc60ae3bf3d20487e3c9a80cec19adc6575b4f9aaf92ee0b9a1
-
Filesize
62KB
MD5c255a215a56f0191ff16163454ba6ed9
SHA12268b09fb0e58c569bc2cdf0562d7adb12471776
SHA256e616974209f50ab58459f6fb5a960122cd37241b8c57a89556f443161c92b148
SHA5125a009da0bddb7a49ef1cc6b270769c527de138c643eb454763e73efcdb9c40e918a70539956bfe0bfcfc248efdf4ff759080dc42b4b591f3a853ff0ff9ee8137
-
Filesize
866KB
MD5783575f3f822151ed1b1e1022a10e027
SHA1d03e7b6be2eeb48e0e09b9050c4739b07a1a889d
SHA256d1e3a4a8b96f3ea63281200340552d7a1e0a5514f3bb5726d10b0d871c20357e
SHA512e19791dc189b3f699d02efbd8c1b05afbe6049ccf1d09a2a89d9fcc64ad15d10076389bac02ea110f76b959040f96e45b58b14568ae4874381e2515d1d9b595e
-
Filesize
14KB
MD5479ca8f2e48fcf67b018c911cd335ae1
SHA1f8a2d5e86a8854bb97e1aa48e9dfe10fd24b32ef
SHA25659194cc6347489f833b3d58ec07b1caa054fb48856c1d27299584ef34707a638
SHA5129d5ce01be08edcde6904067b0e3c26f06d17f4501fa6dc68f8665c9b63faebd39acb6dc2eee82180532c71c63c4531db029bbdc78388eb0326263ffe964e496e
-
Filesize
62KB
MD57e3b9b5efedce4231bb02f1fd97fcd5d
SHA11042788b51134c23008ed274b598559e9b1568d8
SHA256b7e8ee21f058df49534eac35fa6e4cdf1c3e6f599e0b131344f349284a0ce5b3
SHA5123c621de45969a177209e9f6027cce646d165130c3d40a84f2920d3939efd30479e9e21912a8fc016f63ab84fdfa0879201faa421fa90031db6c81250bb524ff9
-
Filesize
83KB
MD5a265646b71f2bd90b49af78bacb0a603
SHA1c43be494ff7b8802e7e013c3d576767844a0102d
SHA256ae7f2c347f8938bbf0532472bbc8984fe93e7c0748b1d368b1172dd1f2df60f2
SHA512090d00aa588ad1cce583edbcc66b1b6de002d34fdca5743b6114ffcb84f4b645ee9947cdc494e83fedf4f704b13067b3fdc21f88f33e3085bcbe105d445577c5
-
Filesize
94KB
MD5440b16f0da2cabdfdb6de4c4f73a6061
SHA1e983bc7837886155a9b45ff9c17cc5dad5daa02f
SHA256992d790758c278dd0653c40bd77f70d8ee0378f277162637215ecae8815fe034
SHA5124a49079828a9a6150de7b582be92dd7a43364a43b2fe04f1a782b5e32a36b3de9f4587b4091d82760bf566e318dc925d4684ec8a9e7993b8899b8ec042c6d917
-
Filesize
14KB
MD5a6d6c60fd822110be81938b5a83b9533
SHA15c6e5fb2f1ec160731f29757d7510a78190d1b21
SHA256d11304a432fbd7ff5d1e44778d5bd348360ee46b00240049284f95276bdd47df
SHA512e46a75de38b77af796e90426e89e8e5d697d7cad8f309f7067752c7b7341d81c0bb65ff1bbabe71026fafcdaedcd4ed29c0f5ceef086305f1b8c771bb6a189e5
-
Filesize
75KB
MD5359570710d9793aa98e354bcbf386a38
SHA17b44dde782d9276654ef05e67a1dab5fa4310e85
SHA2567146161b192a851540672d31b69b91f6d732cee8777ebbe6246798a4838d07e2
SHA5128ec53f429a6ec12057a517cb32371e6e921a0fb10db2c462870c9bdff605b1247b07e2b29c199cb189f88c2baaaca7da0e427eb4ccf441b414fd0c64fd174c49
-
Filesize
80KB
MD5c42fcc17904fa666d76265b8a45b7734
SHA1368acd51bd62beedb4cbddf7142473d5a873484d
SHA25605fb815535624e6fdebd1d3fd3c41e5e056c368a7ca57e2d681b7e91aaa6a44e
SHA512900c1f3fc85a96ff9384f8a15df264aec456a54841108e27f347797afd25031922db535a2749d1b627e28aea5206bfa7960bb1ca72820eb49b19e3543401b2db
-
Filesize
93KB
MD51885adf09acfa4b8818bf8153786cbc3
SHA148b1c38c8712f683e722cbc1f7977a6b3f4e3b7d
SHA2563ea7cee5a287a1f5a6923ccf717025658c0476968df6b6d5a1783a8b9f4dde74
SHA51283d007312ccaac1e17d74feba18149f351e135f1c972bba62157e273863eecd566479c62d103048bba1eb6afebebe1eba4c018ffb7f2dd7da12dbb9455215e42