Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
Resource
win7-20240903-en
General
-
Target
7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
-
Size
945KB
-
MD5
97dbc44370eaaa9f03b0a49214740b0c
-
SHA1
e49d9ea0e7380f49904e41c2a48ef0f2bcecd6ba
-
SHA256
7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631
-
SHA512
2ddcd33620230fabc1a1ed2915c3f74dcfbfaf21c96af6d6359b99596dab655b14ebbe474d9c9b22aa167ffc16eb07effbf5ecabf2bb3a92f2019acfcfe4f190
-
SSDEEP
24576:TcpPlcL6NZ/qpYGVsIHpY4hVj1ak+gMkFqufX:EPlcLq/qpsINDjgMbFR
Malware Config
Extracted
remcos
3.1.5 Pro
Client
jokerwe.duckdns.org:45131
thegatorway.com:58764
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
start.exe
-
copy_folder
start
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AV
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
-JTORVC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
25
-
startup_value
start
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2364 set thread context of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2012 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2192 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 100 PID 2364 wrote to memory of 2192 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 100 PID 2364 wrote to memory of 2192 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 100 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102 PID 2364 wrote to memory of 2012 2364 7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YgBIwxYcZP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CDA.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjokerwe.duckdns.orgIN AResponsejokerwe.duckdns.orgIN A185.174.100.34
-
Remote address:8.8.8.8:53Requestjokerwe.duckdns.orgIN A
-
Remote address:8.8.8.8:53Requestjokerwe.duckdns.orgIN A
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestthegatorway.comIN AResponse
-
Remote address:8.8.8.8:53Requestthegatorway.comIN AResponse
-
Remote address:8.8.8.8:53Requestthegatorway.comIN AResponse
-
Remote address:8.8.8.8:53Requestjokerwe.duckdns.orgIN AResponsejokerwe.duckdns.orgIN A185.174.100.34
-
Remote address:8.8.8.8:53Requestjokerwe.duckdns.orgIN AResponse
-
185.174.100.34:45131jokerwe.duckdns.org7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe260 B 5
-
185.174.100.34:45131jokerwe.duckdns.org7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe260 B 5
-
185.174.100.34:45131jokerwe.duckdns.org7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe260 B 5
-
185.174.100.34:45131jokerwe.duckdns.org7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe208 B 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
8.8.8.8:53jokerwe.duckdns.orgdns7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe195 B 81 B 3 1
DNS Request
jokerwe.duckdns.org
DNS Request
jokerwe.duckdns.org
DNS Request
jokerwe.duckdns.org
DNS Response
185.174.100.34
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
thegatorway.com
-
61 B 134 B 1 1
DNS Request
thegatorway.com
-
61 B 134 B 1 1
DNS Request
thegatorway.com
-
8.8.8.8:53jokerwe.duckdns.orgdns7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe130 B 146 B 2 2
DNS Request
jokerwe.duckdns.org
DNS Request
jokerwe.duckdns.org
DNS Response
185.174.100.34
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5af0b3a0fd88d38b36fa396a7be442371
SHA1086948d1d0942ad403c33e9861540dee726bf895
SHA25676ec287689a781c9941d1dab602c206cc730e0467c37586ee86ad106a433f45f
SHA512c0663ad336862b37c958fa623b0272c04ead1c74fcfadca9ba5fc1b31fc8475615b6bcc7e34ee72dffc441a0b4acbaf53a147563eaca6a436fd71576effa6b59
-
Filesize
148B
MD5b5894c6bb9dc9d3b0beed808d46548fb
SHA174b552ceb30434835b25507a5ad83c1b1a927c6e
SHA2569f9542873426409ebb5f9f94bea3fb0d438b94b70fbbb4dd29f2fa8ce94ee9be
SHA5127761cdbd6efdb9722ea31170d1418d68c01e960af2d34839cc1fc401883bc4e5beebb0b34819e98809c39f8ad49604c0017b0a0038eb3280036a3535bd14d166