Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/12/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
-
Size
759KB
-
MD5
e1dc71be5b3466d47a4934013be9b604
-
SHA1
4c6627a901ade3b1f0cd6a233085deb7e044ef97
-
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
-
SHA512
a44f75ea0eac848dd2b724b9a50fb5b0259382f61a047563689381e3a60fc07547c209b2acdddcb1dae371cdf51f0065e2a89ff0276299c0d72928af87c9aafc
-
SSDEEP
12288:GtomEHbPQsIbw8Z9TzDBWzowh0Nxj5gUZVroN64V23i3Qo+eSp5:TN7PXIdZlDBWUrx5gAVroNFHzU
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos family
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/2156-600-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2680-609-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2680-607-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2320-601-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2320-598-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2156-597-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2320-613-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2156-600-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2156-597-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2320-601-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2320-598-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2320-613-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Loads dropped DLL 2 IoCs
pid Process 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4904 set thread context of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 3588 set thread context of 2320 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 95 PID 3588 set thread context of 2156 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 96 PID 3588 set thread context of 2680 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2320 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 2320 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 2680 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 2680 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 2320 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 2320 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 4904 wrote to memory of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 4904 wrote to memory of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 4904 wrote to memory of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 4904 wrote to memory of 3588 4904 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 83 PID 3588 wrote to memory of 2320 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 95 PID 3588 wrote to memory of 2320 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 95 PID 3588 wrote to memory of 2320 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 95 PID 3588 wrote to memory of 2156 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 96 PID 3588 wrote to memory of 2156 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 96 PID 3588 wrote to memory of 2156 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 96 PID 3588 wrote to memory of 2680 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 97 PID 3588 wrote to memory of 2680 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 97 PID 3588 wrote to memory of 2680 3588 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exeC:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfhkeefakebbcudbhqpr"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exeC:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\bzuufxqtymtgfbrfybbteew"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exeC:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbznfpavuullppojhmouprjlkt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD500a5bc06b6782f43ea05b4570a73e122
SHA1c27f90513a3bebf470bfc9bf2313dfd7ed27f220
SHA2564265a812c897bae42aa52b3f3f1e0fafa8cffd75484f46fe0ec72d27f04b66f2
SHA512b2b30e785d6135ee32062b0f632096316301b9293d08d8af833c1d1d78a1a75e2521278fd5e96d986ffade0b73326058069d038c44c1f0a0808d219891951c03
-
Filesize
22B
MD538f296e431f9e889c855110f746a1a1f
SHA1a1f2212648b7d681e10a295ca270ec6ef9c7cb2a
SHA25689870b6b02e2247d1e10942aceede7bf4adeb820bae945b77d0e2c5f5669e514
SHA512a074bd4debd9aa11fc50c3ab1cd5b1aaf365931d790600818ea51a58bfca6ea17feb872a1a11dfd8542cd5e1798bdf171e4305e81e4a409a0253db31c84b91e9
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
10B
MD59a53fc1d7126c5e7c81bb5c15b15537b
SHA1e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1
-
Filesize
33B
MD5d0c16d35895f4a76cb4fa85fc11c6842
SHA161d36c5b3fd3f0772608359b7ed9890b0474aee0
SHA256d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59
SHA5123595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951
-
Filesize
45B
MD534d32f9b446e46883ec3157794403748
SHA1e797e81a28e395ea751871b21e638e43d62d0f61
SHA256a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e
SHA51248b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
11B
MD5cda05fedfd1133dfc6439e441829b6ba
SHA1e0dfbcfe83a13922d365506312212928871f9c0b
SHA25627fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099
SHA5121180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf
-
Filesize
16B
MD51a069d3d8cca839a3c2f44a0e833d67c
SHA12bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf
SHA2560c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309
SHA512970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2
-
Filesize
37B
MD5bcc2d4708d4557cd6dfb4ca08164719c
SHA15158b5fb3bcd9238e69352fb94a039ec90eddf86
SHA256b029fc5e9252f17e84ef53c084ba0d67a0931fa02eb9e5a13bba202a008d7553
SHA5128f179a8895d1afe69d2ef5583eb63a1821ee94a0c30cd7c8cbb3ce40165bd1c0c5d30ea4156b81000e37c1ea71c57d34e059cd658e22056c4e06788badad54b2
-
Filesize
56B
MD524c65563d17054b07c6135e87a53cffd
SHA14765777312bf6c4c7272e61b4dbbce3202bb2d68
SHA256e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce
SHA512f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
55B
MD52598d3e10bec5798f73f49de505a8514
SHA14431b20a112e277250649a917f846a6627870a60
SHA25608643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874
SHA51283687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
6B
MD550484c19f1afdaf3841a0d821ed393d2
SHA1c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA2566923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b
-
Filesize
20B
MD59111ba1d1ceb4b7f775d74730aac363e
SHA1c0af4968c775735be12419b60b257ed4359cb9b2
SHA2560883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91
SHA512836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf
-
Filesize
39B
MD5763ec4bcf1080106283ac75cc79cfdc5
SHA1e916ad8ee0d278848350e957be6e99f8916c9f0e
SHA256e9f76c3dcf61068c71c8748639c37793963e1929aca11eed3c2caed692bd17ff
SHA51252273017ba7559aee2f73498b1d277517d2c163ab9eb6891a838664dd4b6ce3a576ae05116deecf502e8494522ce31209dffd2ab68462a75fb841592c83381d2
-
Filesize
25B
MD5cc98cdbdb6e4571f9dbef3d7ef0cecb6
SHA10c6c945dacb7dc9269bb8659e61b6bd44e03b5f4
SHA256fdd17f70c2c855ed3b81bf41d2dbff3a0d85a7f7b019f04c569f897188e0d3b3
SHA51283a41e73d62f77faf633e3fc5fb4f0ee4984881dc7ed5bbfcd73be815c89a606349cb0adf5de1552cfd0ca0ff3d7bd9c2332658586e582158e53777e2fcfba4c
-
Filesize
59B
MD542d0d094fb9cf401430cd1377e6128db
SHA148b6b6a975ecb92b8fbbd7fc6a5f9aa858d9ad51
SHA2561bce2e52c57c18758a9de5f51c9bec29fa42ab4881d269baa78c92a6c5fe9ab1
SHA51263ee2eefa05e5113f69c4d60e4fa56651b2aa522b8b2e7f06b4fa2761486a12aa9fbd040cd921cd9169dbbf6e4850071445093461d7e0e7507e1bddd8e14c45a
-
Filesize
60B
MD533714fd37d9159cf4911fe47896b9e69
SHA177c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA2568eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a
-
Filesize
4KB
MD5562a58578d6d04c7fb6bda581c57c03c
SHA112ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA5123f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e