Analysis
-
max time kernel
299s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 23:09
General
-
Target
430010782.pdf.exe
-
Size
759KB
-
MD5
74c8f736d425b1bd2027c2b5b144e188
-
SHA1
76f160d6c55611b99dcd10f85889957cb867990a
-
SHA256
293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87
-
SHA512
c859f5d689b168a72db6fc7fec5ed3c2a95cbd51402f0128b5370ec0cd41d73e02f90e3b27b85b8d76c5c0140bd9a6d9341d2422673baa52a5138ff689596162
-
SSDEEP
12288:0GCX77iIc2b3mMhkApKwjVim+PMpa3oGk6Rcs93tRLPHj6XOahG:qr75cY2vFikV/oGtR193tJPDUOr
Malware Config
Extracted
remcos
RemoteHost
87.120.116.187:56
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GC7VQU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\430010782.pdf.exe"C:\Users\Admin\AppData\Local\Temp\430010782.pdf.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Ekstremumspunktet32=gc -raw 'C:\Users\Admin\AppData\Local\neoimpressionism\Arbejdsbesparelsernes40\Kbmand.Too';$byelaws=$Ekstremumspunktet32.SubString(71187,3);.$byelaws($Ekstremumspunktet32) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oisaiofwfjtcgkasgzzrirtdzbl"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkytjgpxtrlgjqwwxjmttwouiidbbo"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\beddkzarhzdttwkaguymwjbkqwmkczjwn"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD501e76fe9d2033606a48d4816bd9c2d9d
SHA1e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2
SHA256ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
SHA51262ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0
-
Filesize
4KB
MD560a0bdc1cf495566ff810105d728af4a
SHA1243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6
SHA256fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2
SHA5124445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5
-
Filesize
69KB
MD5fe436db316fbc26e45e0e549ef823194
SHA1a6167e8edaba364577375393344d64d7d29e5455
SHA256fd88a6b7f747f43380875af5fa4ef6b735afd1c52d0a75d1e14513fca9f26ad4
SHA51205e48c88be028ffa2724ec129df3b9b2125f4b07ae50a9b8f6010443c94489bdc8fbc533dcabf40d9afd1b8e0cad95faa2c94c10e703c0c63e43adaae5bf3868
-
Filesize
319KB
MD555ac96f564dc8f6b82fa7e240d6eee3a
SHA16b141e40fb89357ddf8f54dff918689c21883f0d
SHA256843565dd040bb35626b2c30eedd8928efa98fa4c221ac6da35a350f35faf270a
SHA5122a41085ccf49e8e7c8659d2d211042628bc22946f3ea969ac5cd1c5cd089b663c48ceadc7cbd08f5c2df736f4a2be10f96b6b968988ca92db892ef65a8b124df
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
23.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB