Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
Required order.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Required order.exe
Resource
win10v2004-20241007-en
General
-
Target
Required order.exe
-
Size
1.2MB
-
MD5
76d7147771fb4fcf69838261875d65e3
-
SHA1
ee0313852c1035ea1f622ebd4212aa6d7ae7f95a
-
SHA256
3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124
-
SHA512
9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231
-
SSDEEP
12288:gl1oeyWwQ0Z570ZE5Uyn0kKcUj9t1PZQSlIGeUf6pI7Z1lVfQvbZPiQ1gBMiZYKS:kYWwQo6UAcajBr1eNMZ1DkbZPi14HBR
Malware Config
Extracted
remcos
3.2.1 Pro
RemoteHost
kamilaczap.myddns.me:8382
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FDNGIO
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\mgtce.exe," reg.exe -
Remcos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation mgtce.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Murgs.exe -
Executes dropped EXE 5 IoCs
pid Process 2232 mgtce.exe 1736 AddInProcess32.exe 1468 Murgs.exe 916 Murgs.exe 4524 AddInProcess32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2232 set thread context of 1736 2232 mgtce.exe 107 PID 2232 set thread context of 4524 2232 mgtce.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 884 1736 WerFault.exe 107 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Murgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Required order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgtce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Murgs.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 608 cmd.exe 4288 PING.EXE 4848 cmd.exe 1560 PING.EXE 740 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1560 PING.EXE 740 PING.EXE 4288 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2328 Required order.exe 2232 mgtce.exe 2232 mgtce.exe 2232 mgtce.exe 1468 Murgs.exe 916 Murgs.exe 916 Murgs.exe 916 Murgs.exe 2232 mgtce.exe 2232 mgtce.exe 2232 mgtce.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2328 Required order.exe Token: SeDebugPrivilege 2232 mgtce.exe Token: SeDebugPrivilege 1468 Murgs.exe Token: SeDebugPrivilege 916 Murgs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4524 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2328 wrote to memory of 608 2328 Required order.exe 83 PID 2328 wrote to memory of 608 2328 Required order.exe 83 PID 2328 wrote to memory of 608 2328 Required order.exe 83 PID 608 wrote to memory of 4288 608 cmd.exe 85 PID 608 wrote to memory of 4288 608 cmd.exe 85 PID 608 wrote to memory of 4288 608 cmd.exe 85 PID 2328 wrote to memory of 4848 2328 Required order.exe 86 PID 2328 wrote to memory of 4848 2328 Required order.exe 86 PID 2328 wrote to memory of 4848 2328 Required order.exe 86 PID 4848 wrote to memory of 1560 4848 cmd.exe 88 PID 4848 wrote to memory of 1560 4848 cmd.exe 88 PID 4848 wrote to memory of 1560 4848 cmd.exe 88 PID 608 wrote to memory of 4816 608 cmd.exe 95 PID 608 wrote to memory of 4816 608 cmd.exe 95 PID 608 wrote to memory of 4816 608 cmd.exe 95 PID 4848 wrote to memory of 740 4848 cmd.exe 102 PID 4848 wrote to memory of 740 4848 cmd.exe 102 PID 4848 wrote to memory of 740 4848 cmd.exe 102 PID 4848 wrote to memory of 2232 4848 cmd.exe 106 PID 4848 wrote to memory of 2232 4848 cmd.exe 106 PID 4848 wrote to memory of 2232 4848 cmd.exe 106 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 1736 2232 mgtce.exe 107 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 4524 2232 mgtce.exe 112 PID 2232 wrote to memory of 1468 2232 mgtce.exe 113 PID 2232 wrote to memory of 1468 2232 mgtce.exe 113 PID 2232 wrote to memory of 1468 2232 mgtce.exe 113 PID 1468 wrote to memory of 916 1468 Murgs.exe 114 PID 1468 wrote to memory of 916 1468 Murgs.exe 114 PID 1468 wrote to memory of 916 1468 Murgs.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Required order.exe"C:\Users\Admin\AppData\Local\Temp\Required order.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 83⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4288
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Required order.exe" "C:\Users\Admin\AppData\Roaming\mgtce.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\mgtce.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 173⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1560
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 173⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:740
-
-
C:\Users\Admin\AppData\Roaming\mgtce.exe"C:\Users\Admin\AppData\Roaming\mgtce.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 5005⤵
- Program crash
PID:884
-
-
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\Murgs.exe"C:\Users\Admin\AppData\Local\Temp\Murgs.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\Murgs.exe"C:\Users\Admin\AppData\Local\Temp\Murgs.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1736 -ip 17361⤵PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
51B
MD5bdf5a7baf3244630f282a7959325bf35
SHA1be958393dbb2ca6f2f0b928f2f152788e7f5964f
SHA256d3de8c8f1166f6fee71e6bc14d1330e4f2b50676418c1bd6325389ba388ebdba
SHA51242d43716f6dfca1cf0735ef00185ddcc054426ce18aac79f76f15d1d4a2483d4bed619320d091afa14ab9e2efacf5356b046ba8be599b6b5ce3dd3126c28cc02
-
Filesize
54B
MD50292cd8c44f63e84621ab6d8ec760c99
SHA1f682b65c1b6248408c91508376cb4b4077f3d59e
SHA256436cc1210fe07d68523ce4949c8a5571d0c47e5f21281196b7d20ae353d8b3fe
SHA512cd4b264ca28f2769903355974014ec94a47c17a2f9957e14752e42cc297676aaaac276d45aa5844ba2779aa635272fb5e0732db3ec0f4e0f6a9844bfb83d4231
-
Filesize
53B
MD59c46a76cae1fb8160df3c9ea7729b6f5
SHA142972e00b4aa410572f8f74fa1d9a63333d7ad97
SHA256399f713613627652b28782c24d591df9a7b3b0d022ac66a6b94317fd1a0ebd68
SHA5122c4de018866dfc523cf4c61b07e371491a5cd18bd5e86632afd760958b42f5344bcf012f088fd022c70ed333b46d44a988a5cb9066744b322d56fb664000d6d7
-
Filesize
1.2MB
MD576d7147771fb4fcf69838261875d65e3
SHA1ee0313852c1035ea1f622ebd4212aa6d7ae7f95a
SHA2563eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124
SHA5129f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231
-
Filesize
148B
MD5f15e961df6dbd6ce2d8c794a18dfd375
SHA127c0752355a57fb35bbf3a106879511174233cab
SHA2564899876fdfcf6a3e1705574a8df12f72ee9315ecd30e0eabbbbcfc8ff0aeefc2
SHA512639484ad0ab2ba8560fbf13d8833ef5862ace6350abefe2be64b3a869992c05b256870438a21231766c09ac4303ef1a86577d9742c296378586f96467de83b6d