Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order 202412.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase order 202412.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Purchase order 202412.scr
-
Size
1.6MB
-
MD5
15214c528c41de4d5e542ebd3d4ac075
-
SHA1
bdab48d323ab0e0c4689061db5fb08adfe1afec8
-
SHA256
5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63
-
SHA512
02b6635e4f1a98765e65ee14db0e93ab8dfdf4c7c0086addad86e4a09466ae49dc66accda0bc142828656fca994eb99255ea4c762ffc9f6706410e4877cc9fc2
-
SSDEEP
24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp
Malware Config
Extracted
remcos
RemoteHost
subddfg.lol:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-A65UIX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/976-57-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4512-70-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4512-68-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4512-67-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2236-61-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/976-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2236-58-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/976-73-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4512-70-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4512-68-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4512-67-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/976-57-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/976-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/976-73-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Loads dropped DLL 2 IoCs
pid Process 2840 Purchase order 202412.scr 2840 Purchase order 202412.scr -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Purchase order 202412.scr -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Reaccented.scr" Purchase order 202412.scr -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2808 Purchase order 202412.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2840 Purchase order 202412.scr 2808 Purchase order 202412.scr -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2840 set thread context of 2808 2840 Purchase order 202412.scr 85 PID 2808 set thread context of 976 2808 Purchase order 202412.scr 96 PID 2808 set thread context of 4512 2808 Purchase order 202412.scr 97 PID 2808 set thread context of 2236 2808 Purchase order 202412.scr 98 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\polybuny\proteolysis.dat Purchase order 202412.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 976 Purchase order 202412.scr 976 Purchase order 202412.scr 2236 Purchase order 202412.scr 2236 Purchase order 202412.scr 976 Purchase order 202412.scr 976 Purchase order 202412.scr -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2840 Purchase order 202412.scr 2808 Purchase order 202412.scr 2808 Purchase order 202412.scr 2808 Purchase order 202412.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2236 Purchase order 202412.scr -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2808 2840 Purchase order 202412.scr 85 PID 2840 wrote to memory of 2808 2840 Purchase order 202412.scr 85 PID 2840 wrote to memory of 2808 2840 Purchase order 202412.scr 85 PID 2840 wrote to memory of 2808 2840 Purchase order 202412.scr 85 PID 2840 wrote to memory of 2808 2840 Purchase order 202412.scr 85 PID 2808 wrote to memory of 976 2808 Purchase order 202412.scr 96 PID 2808 wrote to memory of 976 2808 Purchase order 202412.scr 96 PID 2808 wrote to memory of 976 2808 Purchase order 202412.scr 96 PID 2808 wrote to memory of 4512 2808 Purchase order 202412.scr 97 PID 2808 wrote to memory of 4512 2808 Purchase order 202412.scr 97 PID 2808 wrote to memory of 4512 2808 Purchase order 202412.scr 97 PID 2808 wrote to memory of 2236 2808 Purchase order 202412.scr 98 PID 2808 wrote to memory of 2236 2808 Purchase order 202412.scr 98 PID 2808 wrote to memory of 2236 2808 Purchase order 202412.scr 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /S2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /stext "C:\Users\Admin\AppData\Local\Temp\hwhh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /stext "C:\Users\Admin\AppData\Local\Temp\jqmzzru"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /stext "C:\Users\Admin\AppData\Local\Temp\uszkakfhfp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5562a58578d6d04c7fb6bda581c57c03c
SHA112ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA5123f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0