Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe
Resource
win7-20240903-en
General
-
Target
28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe
-
Size
1.2MB
-
MD5
9dcf036916a9158cc7087c80374db9ae
-
SHA1
69d9b8ffe2c74adebe1d1dcca6f42cb394e3f045
-
SHA256
28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8
-
SHA512
d4c585730a46f900eb691fbad746e4a7354396cf5372929afdc62198c9a6e0cabf388d1c3c72dcab3b6b07d29f89c63a327a9fb4ad34e8eedb2fc03455e17727
-
SSDEEP
24576:KSFcPJBSdw3vTzQc6Uv+wwECbpoZfBlCm7pQU7H6VTPaTsNuloTEd7C7g:RYLhIcp+LNoZJwn2dYNyowH
Malware Config
Extracted
remcos
Buy
3diciembre.con-ip.com:1515
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
olajnxzsertqmvncftukmnbhplahxzt-PE02EX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2628 created 1216 2628 Paintball.com 21 PID 2628 created 1216 2628 Paintball.com 21 -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 Paintball.com -
Loads dropped DLL 1 IoCs
pid Process 2876 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1068 tasklist.exe 2380 tasklist.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\InternshipWant 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe File opened for modification C:\Windows\JpgCelebrity 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe File opened for modification C:\Windows\JpegSuse 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe File opened for modification C:\Windows\GovernmentalPoetry 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe File opened for modification C:\Windows\MoBelongs 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paintball.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1068 tasklist.exe Token: SeDebugPrivilege 2380 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2628 Paintball.com 2628 Paintball.com 2628 Paintball.com -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2628 Paintball.com -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 528 wrote to memory of 2876 528 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe 31 PID 528 wrote to memory of 2876 528 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe 31 PID 528 wrote to memory of 2876 528 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe 31 PID 528 wrote to memory of 2876 528 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe 31 PID 2876 wrote to memory of 1068 2876 cmd.exe 33 PID 2876 wrote to memory of 1068 2876 cmd.exe 33 PID 2876 wrote to memory of 1068 2876 cmd.exe 33 PID 2876 wrote to memory of 1068 2876 cmd.exe 33 PID 2876 wrote to memory of 1208 2876 cmd.exe 34 PID 2876 wrote to memory of 1208 2876 cmd.exe 34 PID 2876 wrote to memory of 1208 2876 cmd.exe 34 PID 2876 wrote to memory of 1208 2876 cmd.exe 34 PID 2876 wrote to memory of 2380 2876 cmd.exe 36 PID 2876 wrote to memory of 2380 2876 cmd.exe 36 PID 2876 wrote to memory of 2380 2876 cmd.exe 36 PID 2876 wrote to memory of 2380 2876 cmd.exe 36 PID 2876 wrote to memory of 1864 2876 cmd.exe 37 PID 2876 wrote to memory of 1864 2876 cmd.exe 37 PID 2876 wrote to memory of 1864 2876 cmd.exe 37 PID 2876 wrote to memory of 1864 2876 cmd.exe 37 PID 2876 wrote to memory of 1804 2876 cmd.exe 38 PID 2876 wrote to memory of 1804 2876 cmd.exe 38 PID 2876 wrote to memory of 1804 2876 cmd.exe 38 PID 2876 wrote to memory of 1804 2876 cmd.exe 38 PID 2876 wrote to memory of 2908 2876 cmd.exe 39 PID 2876 wrote to memory of 2908 2876 cmd.exe 39 PID 2876 wrote to memory of 2908 2876 cmd.exe 39 PID 2876 wrote to memory of 2908 2876 cmd.exe 39 PID 2876 wrote to memory of 2932 2876 cmd.exe 40 PID 2876 wrote to memory of 2932 2876 cmd.exe 40 PID 2876 wrote to memory of 2932 2876 cmd.exe 40 PID 2876 wrote to memory of 2932 2876 cmd.exe 40 PID 2876 wrote to memory of 2628 2876 cmd.exe 41 PID 2876 wrote to memory of 2628 2876 cmd.exe 41 PID 2876 wrote to memory of 2628 2876 cmd.exe 41 PID 2876 wrote to memory of 2628 2876 cmd.exe 41 PID 2876 wrote to memory of 2892 2876 cmd.exe 42 PID 2876 wrote to memory of 2892 2876 cmd.exe 42 PID 2876 wrote to memory of 2892 2876 cmd.exe 42 PID 2876 wrote to memory of 2892 2876 cmd.exe 42 PID 2628 wrote to memory of 2544 2628 Paintball.com 43 PID 2628 wrote to memory of 2544 2628 Paintball.com 43 PID 2628 wrote to memory of 2544 2628 Paintball.com 43 PID 2628 wrote to memory of 2544 2628 Paintball.com 43 PID 2628 wrote to memory of 2800 2628 Paintball.com 45 PID 2628 wrote to memory of 2800 2628 Paintball.com 45 PID 2628 wrote to memory of 2800 2628 Paintball.com 45 PID 2628 wrote to memory of 2800 2628 Paintball.com 45 PID 2544 wrote to memory of 2828 2544 cmd.exe 46 PID 2544 wrote to memory of 2828 2544 cmd.exe 46 PID 2544 wrote to memory of 2828 2544 cmd.exe 46 PID 2544 wrote to memory of 2828 2544 cmd.exe 46
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe"C:\Users\Admin\AppData\Local\Temp\28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Hazards Hazards.cmd && Hazards.cmd3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 339884⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "EmergencyAdaptedResearchOrdinaryHeatherSuspendedHospitalsScanner" Cancer4⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Oe + ..\Increases + ..\Independently + ..\Devon + ..\Hotels + ..\Automobile + ..\Albany + ..\Georgia + ..\Guess + ..\Funeral w4⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\33988\Paintball.comPaintball.com w4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & echo URL="C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5b2ff0600fda096c51d9708e2eddade53
SHA15e34ca4bba9741256476e79e246ed5151c073c99
SHA2568f8a0006c93fbc5fbd31147a1b967175c964abb5f9db8f639fcfc7840b241a24
SHA51210b548431748f7df91b37d16cca716f63f9eee93db1082d895adb4916593ef3f2051147ae07890c26976579c7bdb489c6026e39aa2e316439e85b3e469621636
-
Filesize
83KB
MD5c3e50ef81367a341cf75df50def52b2d
SHA1e0b0d31d00cfa6dd3e42c004cce8f0b5e556dcc4
SHA25664e68df4c8f3f684e45d09422adb521609539c518bb73d7749c88004573f3fa2
SHA51294d920985b0dde1a9f8647d5c732a7add05e5a6f501b02d9d511fc07cfa62394c7e25716aa880720aef7c9c2568f696aaaa555a16ef5d5ec354fc44f2ba8ce1f
-
Filesize
85KB
MD55afd0c99996c2f5b79957d7e571805be
SHA18f46c56d8185362fd14a708bc536febf52aab37f
SHA256e228a8330c23b23181fad534ce378d0e595b318797f4bffb617f5a09d8084454
SHA512c62f77e42f1dd64ace9b6837ae149b0eb775abab91476eff54d86d883babc439ea096cc8dcf2508929d46be6a362d6091ff6cffd8b2e79f00bd359cc375648e9
-
Filesize
319KB
MD595d5c71511485e0977f79bbca432ab44
SHA149fc139ad863ea70aaa7b74b6c69f79421849213
SHA25617859a0845a3aa3b871802e39aac960ca443be9a5436d4930d11602ff16a5c8c
SHA51218ab9362ea9b876e6bf7425c0215b7ef30834cdf819de2c34ff3dd78950d22c2a6d2527e0ba8235a9ba6c5cbc8261bd4333635af1cd04e9f3e9f1ab9162fdc8c
-
Filesize
54KB
MD5f7e62bb95a24d3c390a038eb976ab39c
SHA1982ef476a20d9dc2b26342b455f3ec1a4436adcc
SHA256332f851f3454e797c9eb1ac4defadc0edcd47ffe62711142360bd8adee1989c3
SHA512d4e6e6bee7f1b26357d9435856fbc9bac2b208e6b2a87f7b0ca925b45aad8d3157aa01cee6fa1846e09c8f036127e322ffb748bc8313201624a8d5bbdd58cc33
-
Filesize
19KB
MD56828938f1ad5b911ce73ae4ad98dfc90
SHA12c94d2e92256e7aacdab7e2a27466d82b70096f8
SHA2564bddf31e02d4e2028f9938fbf0e77b1f41442141b513464529d0c53b30e92a50
SHA5128eef0510a53033213de740c8b41c834220a8f449c208702d1ef66fffa73c311cef1499472ad43e87ecf77cac6c1448da5e3bdf42eeb71572034a98dfabb048b8
-
Filesize
86KB
MD5043e3b4e7a35b8e60502464e0c6ce00c
SHA1c77ce7d2b27b2e8df3104b3acbf2d5c16892599e
SHA256716e1250dcdea0c65da29317d36f57c9fbfbb08633e6602dbbf13e6045d82386
SHA5129a113f8b8e4a5098220c65e3be85860a0911fbf7e8f665383605e3cdf5648415cd8f4c57de845ccccd4fb462a25d4a29ffb91c0da81e0bbcd0a497cb333d53b1
-
Filesize
78KB
MD5508e9659524c26bece1dcb56fd4ed434
SHA1508c414e66d6ce04c1c0f2d3c1847e340d23f0cf
SHA256d72cb0ba935d8ff89eea87e4623e55b60993460f42ff4f5bb014cf36832139a5
SHA5127f12cfde9840fa2721fbdc6b130ce316291b899cf83849957e2b1298192343200fc9c7d3d2826d4b30fb791a26f7e4189fcef0b08945f9ab573e1d4e0196bffc
-
Filesize
16KB
MD5fea90ee4f7b41c990ccbfc1fe6cb36e2
SHA127c232073d1aae528370c5c445168c5f18a81393
SHA256432282430dfdc908c5d10d815c2f209d2cf671729bec700c141a7c15f086a625
SHA51212dce50983c4e5c3e88ba05a172ab611b50edc91164253e465b3c4e6db13ef825b0d57a1c0040f80aa97e4bf49eea4bc8a50d1ba897dd2470bf600b87226b71e
-
Filesize
59KB
MD5a438b2533d1f397584a64b1930d0fb47
SHA1d49f34043b3dd87e61c293ccfd32793cb84e2c01
SHA25645ea4b92260219f0f911a9f4e34d6e34a6acdce47bd4adabfbe6a590cbf1b180
SHA5121aea810407fb14911bd7e9218831771ca7b5c8a25b560108387300d3a6de4b12dc9d6d3dc7590f05324a8f9418839321c34727c846b2f5e63c1a45a166989674
-
Filesize
82KB
MD593ad89c806c4f0764e8ec1f2da32cd00
SHA1e2d06933fa8593eac974632c8deb105dab8a69d6
SHA25630200f51a56ec16f0aa4ff3d6d2585556416da1c8d121644a6a70baf67ed00a9
SHA512c60ec2af7540802fad89706e9c85348d3faf3efc2da1f662b274b3717d487c7ade374e4ca9ce1d9f91a3898e3f0e9c38c8a1d2648d9518b37bf52cdc5252e0a7
-
Filesize
92KB
MD5f7e35bfd4fa836e2b29743db6b7242e6
SHA1aafd870b2d62baa20809a1d170a3bf7aa4d60c00
SHA2566dedc21c1f4fbd1b98ca7c9c964a4a37755a60fab376d39e8ef52343888bc5cb
SHA51237f5ded199e3a2f9cd7ce873fe2d022a856b2c1c985f48df1bef785327a483324ffa41e1f0c21def7bb59b7d80d109e4b57c338a53c63bf2fe2c3409c6259e70
-
Filesize
125KB
MD5fc98545e276bc0ba559a0d98a374f859
SHA1f1bdf1c5112b26b2165057c6fc0f3c00efd0ece8
SHA2566203bcb6a49875494cbf42af8b701d68e29df5d5a4ecfbe2d5b83b3ed2e56a3f
SHA51200e2a755b77b086233b26f2f39b7b8a0ae660ed1d890691a5e0c619ccb8f810cd91d1b3ff72b07ef65e79710d96edf766da6dd62c12e6e64c16767b4410480c9
-
Filesize
66KB
MD577e4f81724b2590c5821fad1104a9c9d
SHA171b19cdffc9a001c81716236e0ba4f3332ee421e
SHA25668d4ec5edbd9a43d0536280645c0744c3d0afdea5dbbeeb4c82d81e85f0e113b
SHA512cbb5148937753e8450792ab36fa49fb1a38b0efcd1a7d6e72b62c7f888a04b18044f6c4da41dca259e7d37c8e6d7c687f6317bedb2853a61cdfbbb7cb635ce96
-
Filesize
277KB
MD538728077efb1aaf4a5302ee1b642e8e6
SHA12c6125b8ef7cbf92a4afecbc81362bf9e112cb11
SHA2564f0274b7c37c160b40b6f4ed1b16d3401685a2d77cc2eb5a6833f5eb211db8d6
SHA512872d54274c0f2fa6204b354b2ab1f38646d4f208b8578a5a64bed18a216af2376b86628548918225ae35ea1255cea0453d88142b5f84015e515dacbdbb3befd4
-
Filesize
44KB
MD57e3393cad709862f92a1005bf68355c8
SHA15bed6c4cb4ad2bc266356dc99b122f814800a945
SHA25697697a5494ba0cdff7bf5f6c68b7bdcb09878f49ec184de4010d550be10859cb
SHA512a01c70c99eb9b990be8e66f97781998043570bb4de2e789669536403ba8329cdfa889f6485f8fe1422feaa5f50149cbae046da0aff121115977fab5fc401af5f
-
Filesize
107KB
MD51d7b5851c7e933b58f5a4a94e8c2fff0
SHA135fdba1e3aebf7348b4478dee028904aba21e4ce
SHA2564d3d063a5a5a079c4d4e73f96e3c9aecdef3f1a5a16621f28cdba69daee42f4d
SHA51294e20dee259193d12d01a1188d8ff0c21346c1ff374fce9c63678c73d5520513f5b5ccd4c0bb6d6aabc29626f9f05edf184be65848ffddedb3358cb3fa8ff3d9
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0