Analysis
-
max time kernel
117s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe
Resource
win7-20241010-en
General
-
Target
bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe
-
Size
1.2MB
-
MD5
ebfc87afe94a6323242d16dd1ebf9b80
-
SHA1
347bc60b22f6ba18de247260336ec8908b7dc05e
-
SHA256
bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804
-
SHA512
f4d86f04d0e6d4bb971022b99c79cc647f6f9ff1c5d1a5319324b6f19710d554a9c7548c8b3d73fde9f06813404a425a35033e2284338f4779180ec7054f9104
-
SSDEEP
24576:FTqdmN5O7j/gb4aoXLJBOKjISnFZ53TMTK/vmmlSdnDdOvpdYUWg5XQBppynhJk/:HzzcdbOExFZRTMK/OiS6R2KKpeXm147E
Malware Config
Extracted
remcos
ASG001-01
salma12.myftp.org:2525
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9R7QED
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Executes dropped EXE 1 IoCs
pid Process 1764 Tex.com -
Loads dropped DLL 1 IoCs
pid Process 3068 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2220 tasklist.exe 1504 tasklist.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\GregEncounter bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe File opened for modification C:\Windows\RopeSpot bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe File opened for modification C:\Windows\DropsWhere bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe File opened for modification C:\Windows\RobertsonTree bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tex.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1764 Tex.com 1764 Tex.com 1764 Tex.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2220 tasklist.exe Token: SeDebugPrivilege 1504 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1764 Tex.com 1764 Tex.com 1764 Tex.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1764 Tex.com 1764 Tex.com 1764 Tex.com -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2996 wrote to memory of 3068 2996 bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe 30 PID 2996 wrote to memory of 3068 2996 bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe 30 PID 2996 wrote to memory of 3068 2996 bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe 30 PID 2996 wrote to memory of 3068 2996 bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe 30 PID 3068 wrote to memory of 2220 3068 cmd.exe 32 PID 3068 wrote to memory of 2220 3068 cmd.exe 32 PID 3068 wrote to memory of 2220 3068 cmd.exe 32 PID 3068 wrote to memory of 2220 3068 cmd.exe 32 PID 3068 wrote to memory of 2112 3068 cmd.exe 33 PID 3068 wrote to memory of 2112 3068 cmd.exe 33 PID 3068 wrote to memory of 2112 3068 cmd.exe 33 PID 3068 wrote to memory of 2112 3068 cmd.exe 33 PID 3068 wrote to memory of 1504 3068 cmd.exe 35 PID 3068 wrote to memory of 1504 3068 cmd.exe 35 PID 3068 wrote to memory of 1504 3068 cmd.exe 35 PID 3068 wrote to memory of 1504 3068 cmd.exe 35 PID 3068 wrote to memory of 1784 3068 cmd.exe 36 PID 3068 wrote to memory of 1784 3068 cmd.exe 36 PID 3068 wrote to memory of 1784 3068 cmd.exe 36 PID 3068 wrote to memory of 1784 3068 cmd.exe 36 PID 3068 wrote to memory of 1340 3068 cmd.exe 37 PID 3068 wrote to memory of 1340 3068 cmd.exe 37 PID 3068 wrote to memory of 1340 3068 cmd.exe 37 PID 3068 wrote to memory of 1340 3068 cmd.exe 37 PID 3068 wrote to memory of 1676 3068 cmd.exe 38 PID 3068 wrote to memory of 1676 3068 cmd.exe 38 PID 3068 wrote to memory of 1676 3068 cmd.exe 38 PID 3068 wrote to memory of 1676 3068 cmd.exe 38 PID 3068 wrote to memory of 612 3068 cmd.exe 39 PID 3068 wrote to memory of 612 3068 cmd.exe 39 PID 3068 wrote to memory of 612 3068 cmd.exe 39 PID 3068 wrote to memory of 612 3068 cmd.exe 39 PID 3068 wrote to memory of 1764 3068 cmd.exe 40 PID 3068 wrote to memory of 1764 3068 cmd.exe 40 PID 3068 wrote to memory of 1764 3068 cmd.exe 40 PID 3068 wrote to memory of 1764 3068 cmd.exe 40 PID 3068 wrote to memory of 1584 3068 cmd.exe 41 PID 3068 wrote to memory of 1584 3068 cmd.exe 41 PID 3068 wrote to memory of 1584 3068 cmd.exe 41 PID 3068 wrote to memory of 1584 3068 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe"C:\Users\Admin\AppData\Local\Temp\bfaff05d955bf301ac5617ce3a35f4f58322851f79bd65f3e637d89f4da09804N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy William William.cmd && William.cmd2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3480173⤵
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CarlIndependentTilesAdditionCommitGovtRelElder" Organized3⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Falls + ..\Buddy + ..\Salem + ..\Arab + ..\Swingers + ..\Eleven + ..\Qualification + ..\Drives + ..\Hostel A3⤵
- System Location Discovery: System Language Discovery
PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\348017\Tex.comTex.com A3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:1584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686KB
MD526538334feac348cac40e882e1d07815
SHA182c1405d6338c50fc34ee7a119797efb0c6f5877
SHA2563d948708558f5478920d1a844ff941a7492d3b99f5a142a7782ae1bf2247baed
SHA512dd3d61fb9632e1a16b7bcb9e1f3c55e69176a40180f3fc3c7e28c9773dd424ab276dc97a7abb9c7c3ede5218aca6ded98da130a7516e8fbb96ede3cd684e2f3b
-
Filesize
70KB
MD592437159649378030f8f35852b8d2390
SHA190bfc8373d61ae3771e76e24c05aafbc0cfe101d
SHA256f085706562e91c64998284de23bfd992dd11a7e82dee7f1899e2943846f2c366
SHA5126728b258765cd0e9fe18d2f49ad80a4b22ac5d113097bcfe4060d5a5419e1ed429f65bd9bb2ad34040541af3c5dcec0ab3cee9644df19c212eb270066f4fe3ac
-
Filesize
77KB
MD50d6155f54c8de6d2a5ad5d5861ed536a
SHA1140c455256b43d0e9bc966c48a5fed7e2dcbd39b
SHA25658badf9d9d297267744362fc4ae5950d56714b1163a9232832b9c5ce1bad1887
SHA51268b9f0a7be794ddea3cb83e78344cb596e619b37e0da4e9b7ee1bcf8e17e5bac97df662e5482636832cd0e7733122c9134df9d97a7fb1e2828ee47c7878916db
-
Filesize
90KB
MD500bf96841d0008696b2e299df88b9850
SHA1c126e32bda2fdb09d93ebecb78f2b360a69a8ff7
SHA2561f1af17137d36a95ba578cf88a9d34bd70e576bc9d4abde63817f28c150d693f
SHA5126890933ca01446187b9d91d2b2a975003ac2d1245ed64dcbab76479783e1d0b60d24f1fc202ef823f26a5b7d3ebbdaa079c7ab7b1da9c48559bc455de42285eb
-
Filesize
32KB
MD5e7984087809f264e7016168e04a54ab9
SHA18049e213551d2404429ecfb6e5460a65164ced02
SHA256d8a5274958d411fbb67c6ae0662b2ea66120f571015d03e0e81b344ccc417727
SHA512fbfc508d961a58138a78eb3c8fe7fd83cc467f7c734accf76b5d396e7567f30bcc3d610010edbd971d599e4c99f71d87c72d7c922fb9a391dbcf5651c406fb71
-
Filesize
105KB
MD5b7a235e0aedaca45dd529cbc73896bd6
SHA1208eabcf3eae139fa2bb2914806a8a072caa6c05
SHA25657bd04883b85d92cc2ddbe64f4d867c090039e107b6bfc449a59938a49d507ec
SHA512bfa71405eb330d6247bada019400fb78030ce907422a46118290810b57c92ca079ec2e0b6571149b3eb4e9afa1552bd28818fcea0761d92783414567c9bd9c6e
-
Filesize
72KB
MD5266ea7fd372b17747fa7f92e005a21eb
SHA1d6d415de73bdeec7de9ceff684025693acdfe65a
SHA256b8b658cbc2100678d1d3f63c903ff3ae2ff2446bfc1ee86cd1d97596ee5e3813
SHA5123551db187aa33b6be0eb40ebd07c1d54197cf1298912e8b29a3361eb28fd5741d8acb88cb11ee82603594e64f11ef2e1444461a0c625fddad877adc7424e160c
-
Filesize
77KB
MD585f61623dc7db2de58e1285923df189b
SHA16122df3cb0e69f6927ed9a0dd9676671cbc1dce0
SHA2569b3b153d6ddc9d168bfa1c82a290a23b4240e2b4ec4c2a20b264808f52afb088
SHA512fc1b90167f7279f74877dccbd260c4240e2fc4fd93ba7bf65347e679953183541473b7d4d1e5fe49db9a1b3d01e30bd28a3e93fa2569db118ec7642931fc19ce
-
Filesize
86KB
MD5029c8ebbf2f58c5e730a197c2006e287
SHA1516ce39e24fdada0a3e92d0c8c6d34cb6869494e
SHA256b920f0807f1b342eda1959b0b603de06f54e41ae81809f1dc4f165b1f9d07f6b
SHA5125e536b3f7f5d43a9e23810818f25e2d718e647a3a77efc92ad64d8877bd73fbffb195c3e42f135bc9d1b6a083a27727c56597e30b270d74eff4daf275c79f164
-
Filesize
126KB
MD517d4efe8d0b7ace0b80e2d6def4f7b17
SHA1734962434e8860a9ccfdca0e5a8b2516506d0b40
SHA256baa32b8c39f6143f9d8a82e1ffa2c423fc5ba08159f90ed41aac38dc3a59dec4
SHA512f549df4d9ae2657a505d52517c288cc154f0e84fc9118f6985026c24e50972fdd16530f71e723e6ee1afc2770a44895d7126a87bb2e726ce143d65744d300273
-
Filesize
41KB
MD5e3a5066c7b2432140db63d375de597ba
SHA16982106189a2074b956fe2de6d327c8889925047
SHA256d81b35d5a7b36419c64a8b232a944f0e78f926db434aab8a6246f1e35cdd02ec
SHA512df8b1c14e416d756b1c23611d22d0b29d2462d0fc79778850ddf05a0ed7e5f2b335d66ba4d1957e79c10fb070f982dd14e38e98078fdd90eb2a98935fe726faa
-
Filesize
140KB
MD54577b049574cf5e27f7a4950ab3d6707
SHA1282c7bc68905ffbb935ce189ff564aa9e0cfc6d8
SHA256c3d29f7399ca57758b0f2cbc1f178ad144edf0acdb47575a15c37818420c0f06
SHA5123d3937eb2aac9ef2d6e2221d33928ec4c333ba23978b768d3d2a7692e5310bac0ef0bb8e9d04c0aaaa82ffb720ba2f00b61f6b980ed8ae300cbcfaad532ba87b
-
Filesize
94KB
MD5784abd319e4966a1a9df1ecf099c78c3
SHA1db970b0feddc3b5dc7a8b7e2839935bad01f5b31
SHA25639f146a3b07754c3e69beb793345875dc0ad4fa49488a6c134d040bca5a9847c
SHA51291cdacb747c06038d4cce4bdd78f8f4b36a6889bc66cc3af1540dd1054cde6a89b1574edc406f048de7c549c5357e81516968ff6352edb540ce0dab0ab02ef57
-
Filesize
122KB
MD545ced655153d00ee1f8229bed9470bac
SHA10c94bc15c5e07d20bad8d9672095e658276d2c35
SHA25653731b84ded04ced11d7b03516edb9256138a5d7444f00c3b6e3311c651a24e3
SHA512f8cbe1626d5fa4308e47a7bcda702e8c9a1989e1ab2b57c3f0804a49575ac3f3ff975784b0c99d46dd00bcfbfd62def0fbc8e1aa7dffead25cbb6f1210953f3f
-
Filesize
95KB
MD51ad0f197bda947a1d41b7050a8ec507c
SHA11bbad625acd6c15bcba5071eb422f2882a5271ec
SHA2565df28f8fffe09325220281fb00e16198214381e49c2247efdcf1ac6edd2b7bd0
SHA512b4f606439de3fd20a870edf5dd0bc7aa5ecfa475e5328fb51be9f6de7145b64799d5780e788f5304110a7c3e139a6738709dddc198a447f04e91fbc057c3af88
-
Filesize
88KB
MD5766a776527035d196d35f18f8e64aa7e
SHA1f96fbe5fdb69c6f84837cac35c15023841954344
SHA256624782904f5bab248f2b470e2d9f0421102fcf0e3ce3b0d68db2e3f5250a125c
SHA512244335b7b48ace58047019d481119db193f39cca792c8de801d474716936be26a5275f28f9dba6e569c3206a26538b63862540cd047588beec134af6e0cb4cad
-
Filesize
105KB
MD52c2352048233877538423bbff9fede79
SHA1344f46cf56c89d5646ce02f673d7e40712ba86e8
SHA256638bed97f6f8ca7d28efca92e0eb242f6170df95ff858da7d704cb26f2e816d6
SHA512e20c3d6d708deec911ffe6e3663a6134c99e7c5dbb8141e1bbf5167b2dd2f9a27a30e14ffcdd9dff275dc40fcc535e8b17c9fc0b72ecf7b35c24b51f8972ea6a
-
Filesize
131KB
MD5cd356610d789b89aea3800169c91beed
SHA17258cddd2fedf0cbe977d47ef2b9c80ac69548fc
SHA256fa34fa942109ca144d961b7fa58c2a44cd0caebff6c63a2224fa767a99240012
SHA5120a1e62e23644e842e615f00b195a6a39d0e2dd490ba3a7f61b0c8ad9adc4ff8ccafbf4bd5e057b1bc7409d39d98d4a1a69c4d719d2b0c63cb7976853b0a2493f
-
Filesize
60KB
MD5c8ca6670315fe0d43b52c842b16e45e4
SHA1a3e66065880d26aa8a4d2a872ad2069b921b2c1b
SHA256580eecc00fc559adf691f30c7b1cab3358b2139b381ba183812aeda0234eb4fe
SHA51210f1009a1d47230f3e8f767988a5fa685ca9a65267049f557fdb612c9617110e7e96491032c1e6fc42c40566ebd9446f315d4f770af33a3e3ab58fa4b5dddc64
-
Filesize
30KB
MD5e8c2d73029913f23c95285ce2c39eeba
SHA199ba18ba4dd3c301d6bb217ce05e84c5b605b059
SHA256841e397f1bc55ea79f0ea7661e898b240d5542f317cb4578aa072b665b6a3731
SHA5128ec3094025349507e01a6abfde9fb7809f65ccaceb537fd3885310a6d4d2c23141717650d970aa2e96d2f18a5753f5c7e3959ff7e9145aa48d19513fe89d212a
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f