Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13/01/2025, 15:40
General
-
Target
ORDERSPEC817.rtf
-
Size
552KB
-
MD5
a874fdd0f5d82f1614bca0635ed48ec6
-
SHA1
a738040f98fdc2ed57d4aceaf1df7d65aaf52511
-
SHA256
ef815c51ed2d3060393b1fd5c94fba354fb6259db2f22b0ffb92a4ea58086ab6
-
SHA512
372399d53d0d26773320cdf11be9224f3d02fb9830a3ac91867be722d5f7cbc6b214e674592b46cde6ca38f5f3ad18560d55fe9be2c599e5d61dd0da27e42d57
-
SSDEEP
6144:pjwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwy:H
Malware Config
Extracted
remcos
RemoteHost
www.kposlifestyle.design:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
edefdefffff
-
mouse_option
false
-
mutex
Rmc-OH1QS4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDERSPEC817.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\upskakqwxbadajrqtzjy"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\upskakqwxbadajrqtzjy"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\xrxcsdbpljsidxnukkvzqwe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\hmcvtvmrzrknndbgtvibbbzofcq"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD50d41c3ef4a24ab9937b20a3eb5472444
SHA1d5d131722f0e2972bbc44c6ad60bb4192ccf58f6
SHA25636d97897d0cd68d4acdd54d2bf932b27396094262cbfa6500facd9a27e6b4d7a
SHA512f396ae2b920f6ca183055b4c1080c6237895eeeb46ad01a48afec517c5ea5926e212aa1ec2260e5ef0e9c3a478f7c293ab7935991b5440993f1f217737694af5
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.1MB
MD58e9211eea2ba6f1b345b696b10f9518a
SHA10d2cb42cee5bc56d6a6fab077e950fefd0af9c43
SHA25611a4eadb74837d9fdc0f052302016abed805674c458529523101ced2ccaf4346
SHA512c263aa2bbdd5394eab6d62a8f54ada0f3565ab154cbe754012f92580f5a5f24d347b938810986eaf160d4dc27726ab3b0104aba3ee7b87c0fea6f547c79c349f
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
1.2MB
-
Filesize
688KB
-
Filesize
32KB