Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
OverdriveNTool_0.2.9/OverdriveNTool.exe
Resource
win7-20240903-en
General
-
Target
OverdriveNTool_0.2.9/OverdriveNTool.exe
-
Size
2.9MB
-
MD5
b64dbdbb60d0edab5bf3608d9973d7b5
-
SHA1
470ec316274648567965ac7912cb8fbfc5763c47
-
SHA256
731f26f74722af06e463904102705bc856f20852faecb08b5fda6b7bc0e5539c
-
SHA512
2d21e148db3e5a60075609ca0b4e5cabba7bf15299ed49ebe81f73844440090f8d935e919e2e7368927890b4d51514518bf9467ab01a1db0a3bbae50153719a9
-
SSDEEP
49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvM0:cwSi0b67zeCzt0+yO3kSf
Malware Config
Extracted
remcos
2.6.0 Pro
�����
37.1.206.16:5757
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows.exe
-
copy_folder
Temp
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
13asdadsSDSSDSDSD12132az-BMS9FK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Defender
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Blocklisted process makes network request 20 IoCs
flow pid Process 41 4540 cmd.exe 42 4540 cmd.exe 45 4540 cmd.exe 47 4540 cmd.exe 48 4540 cmd.exe 49 4540 cmd.exe 50 4540 cmd.exe 51 4540 cmd.exe 53 4540 cmd.exe 57 4540 cmd.exe 58 4540 cmd.exe 59 4540 cmd.exe 60 4540 cmd.exe 61 4540 cmd.exe 62 4540 cmd.exe 63 4540 cmd.exe 64 4540 cmd.exe 65 4540 cmd.exe 66 4540 cmd.exe 67 4540 cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation OverdriveNTool.exe -
Executes dropped EXE 2 IoCs
pid Process 4744 OverdriveNTool9.exe 4544 OnePlus.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe OverdriveNTool.exe File opened for modification C:\Program Files (x86)\OverdriveNTool\OnePlus.exe OverdriveNTool.exe File created C:\Program Files (x86)\OverdriveNTool\is-N6UDU.tmp OverdriveNTool.exe File created C:\Program Files (x86)\OverdriveNTool\is-R9SSL.tmp OverdriveNTool.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\ctmon.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OverdriveNTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OverdriveNTool9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OnePlus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OverdriveNTool.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1516 OverdriveNTool.exe 1516 OverdriveNTool.exe 4544 OnePlus.exe 2220 notepad.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2220 notepad.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1516 OverdriveNTool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1516 1628 OverdriveNTool.exe 85 PID 1628 wrote to memory of 1516 1628 OverdriveNTool.exe 85 PID 1628 wrote to memory of 1516 1628 OverdriveNTool.exe 85 PID 1516 wrote to memory of 4744 1516 OverdriveNTool.exe 86 PID 1516 wrote to memory of 4744 1516 OverdriveNTool.exe 86 PID 1516 wrote to memory of 4744 1516 OverdriveNTool.exe 86 PID 1516 wrote to memory of 4544 1516 OverdriveNTool.exe 87 PID 1516 wrote to memory of 4544 1516 OverdriveNTool.exe 87 PID 1516 wrote to memory of 4544 1516 OverdriveNTool.exe 87 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89 PID 4544 wrote to memory of 2220 4544 OnePlus.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe"C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe"C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe" /VERYSILENT2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe"C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744
-
-
C:\Program Files (x86)\OverdriveNTool\OnePlus.exe"C:\Program Files (x86)\OverdriveNTool\OnePlus.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4540
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD511c4fee0fa8ca33059d0e54e2f968447
SHA1206fc648bfd44ed2a0647665088a7cd240ca2e6f
SHA25667991e6c3dc3ca7eaaa628f3d1349e59d5dcfba88c05c23188fa22ce7f637c5d
SHA512dd61f1de81efb8ae3610d3a95836542c3eec86c7573880ff6790545134a93122457d5eca06cc5586ac70196a5bf8a761c6ad4d1474f2b63b71313d0c1b2f64ca
-
Filesize
3.3MB
MD59d0b0d3ce4b1479ee0ad3ab659691dc9
SHA12a7d5add5ade9dbc7b03ab6e28b9085d14579c2e
SHA2560856dd07f6efa48729888ba519e2a3fd4eaa37de3463eb7bc838e45d2b5790e6
SHA512d69235d2e426f4e82337110a3795833e94ef362ffa27c10fd1a4febbc0422038c7d29064da064d565f59532a9a22c6487dc3be595753ea7bd920214cc4f591b9