Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 15:40
Static task
static1
Behavioral task
behavioral1
Sample
ORDERSPEC817.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ORDERSPEC817.rtf
Resource
win10v2004-20241007-en
General
-
Target
ORDERSPEC817.rtf
-
Size
552KB
-
MD5
a874fdd0f5d82f1614bca0635ed48ec6
-
SHA1
a738040f98fdc2ed57d4aceaf1df7d65aaf52511
-
SHA256
ef815c51ed2d3060393b1fd5c94fba354fb6259db2f22b0ffb92a4ea58086ab6
-
SHA512
372399d53d0d26773320cdf11be9224f3d02fb9830a3ac91867be722d5f7cbc6b214e674592b46cde6ca38f5f3ad18560d55fe9be2c599e5d61dd0da27e42d57
-
SSDEEP
6144:pjwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwy:H
Malware Config
Extracted
remcos
RemoteHost
www.kposlifestyle.design:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
edefdefffff
-
mouse_option
false
-
mutex
Rmc-OH1QS4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1260-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/600-71-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/808-69-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1260-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/600-71-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2308 EQNEDT32.EXE 7 2308 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 2640 plugmgsdh.exe 2636 plugmgsdh.exe 2840 plugmgsdh.exe 600 plugmgsdh.exe 1260 plugmgsdh.exe 808 plugmgsdh.exe -
Loads dropped DLL 1 IoCs
pid Process 2308 EQNEDT32.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts plugmgsdh.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2640 set thread context of 2636 2640 plugmgsdh.exe 34 PID 2636 set thread context of 600 2636 plugmgsdh.exe 36 PID 2636 set thread context of 1260 2636 plugmgsdh.exe 37 PID 2636 set thread context of 808 2636 plugmgsdh.exe 38 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugmgsdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugmgsdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugmgsdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugmgsdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugmgsdh.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2308 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2068 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 600 plugmgsdh.exe 600 plugmgsdh.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2636 plugmgsdh.exe 2636 plugmgsdh.exe 2636 plugmgsdh.exe 2636 plugmgsdh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 808 plugmgsdh.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2068 WINWORD.EXE 2068 WINWORD.EXE 2636 plugmgsdh.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2640 2308 EQNEDT32.EXE 32 PID 2308 wrote to memory of 2640 2308 EQNEDT32.EXE 32 PID 2308 wrote to memory of 2640 2308 EQNEDT32.EXE 32 PID 2308 wrote to memory of 2640 2308 EQNEDT32.EXE 32 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2640 wrote to memory of 2636 2640 plugmgsdh.exe 34 PID 2636 wrote to memory of 2840 2636 plugmgsdh.exe 35 PID 2636 wrote to memory of 2840 2636 plugmgsdh.exe 35 PID 2636 wrote to memory of 2840 2636 plugmgsdh.exe 35 PID 2636 wrote to memory of 2840 2636 plugmgsdh.exe 35 PID 2636 wrote to memory of 600 2636 plugmgsdh.exe 36 PID 2636 wrote to memory of 600 2636 plugmgsdh.exe 36 PID 2636 wrote to memory of 600 2636 plugmgsdh.exe 36 PID 2636 wrote to memory of 600 2636 plugmgsdh.exe 36 PID 2636 wrote to memory of 600 2636 plugmgsdh.exe 36 PID 2636 wrote to memory of 1260 2636 plugmgsdh.exe 37 PID 2636 wrote to memory of 1260 2636 plugmgsdh.exe 37 PID 2636 wrote to memory of 1260 2636 plugmgsdh.exe 37 PID 2636 wrote to memory of 1260 2636 plugmgsdh.exe 37 PID 2636 wrote to memory of 1260 2636 plugmgsdh.exe 37 PID 2636 wrote to memory of 808 2636 plugmgsdh.exe 38 PID 2636 wrote to memory of 808 2636 plugmgsdh.exe 38 PID 2636 wrote to memory of 808 2636 plugmgsdh.exe 38 PID 2636 wrote to memory of 808 2636 plugmgsdh.exe 38 PID 2636 wrote to memory of 808 2636 plugmgsdh.exe 38 PID 2068 wrote to memory of 3008 2068 WINWORD.EXE 41 PID 2068 wrote to memory of 3008 2068 WINWORD.EXE 41 PID 2068 wrote to memory of 3008 2068 WINWORD.EXE 41 PID 2068 wrote to memory of 3008 2068 WINWORD.EXE 41
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDERSPEC817.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3008
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"C:\Users\Admin\AppData\Roaming\plugmgsdh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\upskakqwxbadajrqtzjy"4⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\upskakqwxbadajrqtzjy"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:600
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\xrxcsdbpljsidxnukkvzqwe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Users\Admin\AppData\Roaming\plugmgsdh.exeC:\Users\Admin\AppData\Roaming\plugmgsdh.exe /stext "C:\Users\Admin\AppData\Local\Temp\hmcvtvmrzrknndbgtvibbbzofcq"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD50d41c3ef4a24ab9937b20a3eb5472444
SHA1d5d131722f0e2972bbc44c6ad60bb4192ccf58f6
SHA25636d97897d0cd68d4acdd54d2bf932b27396094262cbfa6500facd9a27e6b4d7a
SHA512f396ae2b920f6ca183055b4c1080c6237895eeeb46ad01a48afec517c5ea5926e212aa1ec2260e5ef0e9c3a478f7c293ab7935991b5440993f1f217737694af5
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.1MB
MD58e9211eea2ba6f1b345b696b10f9518a
SHA10d2cb42cee5bc56d6a6fab077e950fefd0af9c43
SHA25611a4eadb74837d9fdc0f052302016abed805674c458529523101ced2ccaf4346
SHA512c263aa2bbdd5394eab6d62a8f54ada0f3565ab154cbe754012f92580f5a5f24d347b938810986eaf160d4dc27726ab3b0104aba3ee7b87c0fea6f547c79c349f