Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
Required order.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Required order.exe
Resource
win10v2004-20241007-en
General
-
Target
Required order.exe
-
Size
1.2MB
-
MD5
76d7147771fb4fcf69838261875d65e3
-
SHA1
ee0313852c1035ea1f622ebd4212aa6d7ae7f95a
-
SHA256
3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124
-
SHA512
9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231
-
SSDEEP
12288:gl1oeyWwQ0Z570ZE5Uyn0kKcUj9t1PZQSlIGeUf6pI7Z1lVfQvbZPiQ1gBMiZYKS:kYWwQo6UAcajBr1eNMZ1DkbZPi14HBR
Malware Config
Extracted
remcos
3.2.1 Pro
RemoteHost
kamilaczap.myddns.me:8382
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FDNGIO
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\mgtce.exe," reg.exe -
Remcos family
-
Executes dropped EXE 4 IoCs
pid Process 2628 mgtce.exe 2928 AddInProcess32.exe 2472 Murgs.exe 2916 Murgs.exe -
Loads dropped DLL 4 IoCs
pid Process 2784 cmd.exe 2628 mgtce.exe 2628 mgtce.exe 2472 Murgs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2628 set thread context of 2928 2628 mgtce.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Required order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgtce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Murgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Murgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2844 cmd.exe 2736 PING.EXE 2784 cmd.exe 2028 PING.EXE 2592 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2736 PING.EXE 2028 PING.EXE 2592 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2148 Required order.exe 2148 Required order.exe 2148 Required order.exe 2148 Required order.exe 2148 Required order.exe 2628 mgtce.exe 2628 mgtce.exe 2628 mgtce.exe 2472 Murgs.exe 2916 Murgs.exe 2916 Murgs.exe 2916 Murgs.exe 2628 mgtce.exe 2628 mgtce.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2148 Required order.exe Token: SeDebugPrivilege 2628 mgtce.exe Token: SeDebugPrivilege 2472 Murgs.exe Token: SeDebugPrivilege 2916 Murgs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2928 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2844 2148 Required order.exe 31 PID 2148 wrote to memory of 2844 2148 Required order.exe 31 PID 2148 wrote to memory of 2844 2148 Required order.exe 31 PID 2148 wrote to memory of 2844 2148 Required order.exe 31 PID 2844 wrote to memory of 2736 2844 cmd.exe 33 PID 2844 wrote to memory of 2736 2844 cmd.exe 33 PID 2844 wrote to memory of 2736 2844 cmd.exe 33 PID 2844 wrote to memory of 2736 2844 cmd.exe 33 PID 2148 wrote to memory of 2784 2148 Required order.exe 34 PID 2148 wrote to memory of 2784 2148 Required order.exe 34 PID 2148 wrote to memory of 2784 2148 Required order.exe 34 PID 2148 wrote to memory of 2784 2148 Required order.exe 34 PID 2784 wrote to memory of 2028 2784 cmd.exe 36 PID 2784 wrote to memory of 2028 2784 cmd.exe 36 PID 2784 wrote to memory of 2028 2784 cmd.exe 36 PID 2784 wrote to memory of 2028 2784 cmd.exe 36 PID 2844 wrote to memory of 2692 2844 cmd.exe 37 PID 2844 wrote to memory of 2692 2844 cmd.exe 37 PID 2844 wrote to memory of 2692 2844 cmd.exe 37 PID 2844 wrote to memory of 2692 2844 cmd.exe 37 PID 2784 wrote to memory of 2592 2784 cmd.exe 38 PID 2784 wrote to memory of 2592 2784 cmd.exe 38 PID 2784 wrote to memory of 2592 2784 cmd.exe 38 PID 2784 wrote to memory of 2592 2784 cmd.exe 38 PID 2784 wrote to memory of 2628 2784 cmd.exe 39 PID 2784 wrote to memory of 2628 2784 cmd.exe 39 PID 2784 wrote to memory of 2628 2784 cmd.exe 39 PID 2784 wrote to memory of 2628 2784 cmd.exe 39 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2928 2628 mgtce.exe 40 PID 2628 wrote to memory of 2472 2628 mgtce.exe 41 PID 2628 wrote to memory of 2472 2628 mgtce.exe 41 PID 2628 wrote to memory of 2472 2628 mgtce.exe 41 PID 2628 wrote to memory of 2472 2628 mgtce.exe 41 PID 2472 wrote to memory of 2916 2472 Murgs.exe 42 PID 2472 wrote to memory of 2916 2472 Murgs.exe 42 PID 2472 wrote to memory of 2916 2472 Murgs.exe 42 PID 2472 wrote to memory of 2916 2472 Murgs.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Required order.exe"C:\Users\Admin\AppData\Local\Temp\Required order.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 63⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Required order.exe" "C:\Users\Admin\AppData\Roaming\mgtce.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\AppData\Roaming\mgtce.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 83⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2028
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 83⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
C:\Users\Admin\AppData\Roaming\mgtce.exe"C:\Users\Admin\AppData\Roaming\mgtce.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\Murgs.exe"C:\Users\Admin\AppData\Local\Temp\Murgs.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\Murgs.exe"C:\Users\Admin\AppData\Local\Temp\Murgs.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51B
MD513dec55eb1c27451b26a812b920d2634
SHA17da9263192c84cf4effcc522bf90e0558255f2c0
SHA256215f89003a7bc877f7640b37538d5ca72cd59b8bd3eb6fa613428a9ff348f549
SHA512c168df2f622321933fb2e1d4ddc7e53c6b40e9172006cd073b6faa9ec98de4a429c9ff7bc56c31b549bab2cfa261308cc08d1db28d451044197a579b27367fe7
-
Filesize
54B
MD58f705b207047576f30d5589651c7b19e
SHA1e617bb231bb2a2620ca06f0e72ff4b7e2fef30a9
SHA256911d22fd885e8fa50cfd0331db4f3b6f433758fa97996358bb794cd7f1586f0b
SHA51222944e92a262cdf41579ef80df2400a851e77facbcde7192ea77aabda204047045054da2631350f4ccc224adab69d95a15881a19f523c92f0943778000459f3d
-
Filesize
148B
MD5668bb6db7d5a4cf50f5c235bf0bfba14
SHA158d1554d66fc53006e5d9df36c14e65da06e09bb
SHA256ac8210fc4e48bd9579c2e4cdd89a6b560d7bfe55ff2e815111efef20e0770bf4
SHA5124866f505cd46628d064bbd32d9108e3884579690e90cf501887976d62cd09c01c196c401f76480294505c5345bdfb49b51e831502881201291046ffb2e558b8f
-
Filesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
1.2MB
MD576d7147771fb4fcf69838261875d65e3
SHA1ee0313852c1035ea1f622ebd4212aa6d7ae7f95a
SHA2563eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124
SHA5129f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231