Analysis
-
max time kernel
59s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2025, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe
Resource
win10v2004-20250314-en
General
-
Target
dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe
-
Size
23.0MB
-
MD5
07ec451b057f8b175ddb971c24d0d740
-
SHA1
1c3a88ebce818243bf5b31e55812de3c8e0458b4
-
SHA256
dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a
-
SHA512
7db5cde2310fd8b7914c26edbb86cfebb55c595eec49d8596bf45488c411bed72fcf6086c7ed8c6cfd1bc4505fedf339f5cc00abeeed43928673c20f3d450c50
-
SSDEEP
393216:Q8t/QCMfMwqfGr8vOu7deqcbOL78sJwf5tyDAn5aYKLW6S:n1QtUwJu5eNo0f5EDAn1KRS
Malware Config
Extracted
remcos
2.5.0 Pro
Spot1511
nvdiedico.knowsitall.info:3297
dico.is-a-hard-worker.com:3297
roxy.is-by.us:3297
nicholds.dyndns-web.com:3297
nvdiedicozeus.dyndns-web.com:3297
nvdieroxy.servebbs.org:3297
nvdiedicob.is-a-chef.org:3297
nerverdieorcus.is-a-doctor.com:3297
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
rmlogs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmxplgdatas-ORUCBL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Extracted
netwire
wire.mine.nu:9702
dico.is-very-bad.org:9702
roxy.dynalias.net:9702
regiskm67.buyshouses.net:9702
zeusnodie.mypets.ws:9702
nvdiedicobies.is-a-hard-worker.com:9702
nvdieroxy.kicks-ass.net:9702
nvdiedicozeuse.webhop.org:9702
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Spot1411
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
Entubebd
-
offline_keylogger
true
-
password
0000
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral1/memory/5284-322-0x0000000000760000-0x0000000001760000-memory.dmp netwire behavioral1/memory/5284-324-0x0000000000760000-0x0000000001760000-memory.dmp netwire -
Netwire family
-
Remcos family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation RxWindriver.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation Netframework.exe -
Executes dropped EXE 7 IoCs
pid Process 5340 nb673-full.exe 1320 RxWindriver.exe 1792 Netframework.exe 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 6128 RegSvcs.exe 5284 RegSvcs.exe -
Loads dropped DLL 12 IoCs
pid Process 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe 5340 nb673-full.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdaters = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97028583\\WQMVJK~1.BAT C:\\Users\\Admin\\AppData\\Local\\Temp\\97028583\\suwbmcn.eme" wqmvjkujg.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdaters = "C:\\Users\\Admin\\AppData\\Local\\Temp\\02611875\\DHIDHB~1.CMD C:\\Users\\Admin\\AppData\\Local\\Temp\\02611875\\sktfl.wts" dhidhbrvsi.cmd -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1916 set thread context of 6128 1916 wqmvjkujg.bat 105 PID 4480 set thread context of 5284 4480 dhidhbrvsi.cmd 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RxWindriver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqmvjkujg.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nb673-full.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Netframework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhidhbrvsi.cmd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000c0000000241b4-8.dat nsis_installer_1 behavioral1/files/0x000c0000000241b4-8.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nb673-full.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nb673-full.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd 1916 wqmvjkujg.bat 1916 wqmvjkujg.bat 4480 dhidhbrvsi.cmd 4480 dhidhbrvsi.cmd -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6128 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1580 wrote to memory of 5340 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 88 PID 1580 wrote to memory of 5340 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 88 PID 1580 wrote to memory of 5340 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 88 PID 1580 wrote to memory of 1320 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 90 PID 1580 wrote to memory of 1320 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 90 PID 1580 wrote to memory of 1320 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 90 PID 1580 wrote to memory of 1792 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 91 PID 1580 wrote to memory of 1792 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 91 PID 1580 wrote to memory of 1792 1580 dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe 91 PID 1320 wrote to memory of 1916 1320 RxWindriver.exe 92 PID 1320 wrote to memory of 1916 1320 RxWindriver.exe 92 PID 1320 wrote to memory of 1916 1320 RxWindriver.exe 92 PID 1792 wrote to memory of 4480 1792 Netframework.exe 93 PID 1792 wrote to memory of 4480 1792 Netframework.exe 93 PID 1792 wrote to memory of 4480 1792 Netframework.exe 93 PID 1916 wrote to memory of 6128 1916 wqmvjkujg.bat 105 PID 1916 wrote to memory of 6128 1916 wqmvjkujg.bat 105 PID 1916 wrote to memory of 6128 1916 wqmvjkujg.bat 105 PID 1916 wrote to memory of 6128 1916 wqmvjkujg.bat 105 PID 4480 wrote to memory of 5284 4480 dhidhbrvsi.cmd 106 PID 4480 wrote to memory of 5284 4480 dhidhbrvsi.cmd 106 PID 4480 wrote to memory of 5284 4480 dhidhbrvsi.cmd 106 PID 1916 wrote to memory of 6128 1916 wqmvjkujg.bat 105 PID 4480 wrote to memory of 5284 4480 dhidhbrvsi.cmd 106 PID 4480 wrote to memory of 5284 4480 dhidhbrvsi.cmd 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe"C:\Users\Admin\AppData\Local\Temp\dc7b0a7722de1f9abdea3589970b0803d7b807e5c05bb96ea091d29d15255d5a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\nb673-full.exe"C:\Users\Admin\AppData\Roaming\nb673-full.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5340
-
-
C:\Users\Admin\AppData\Roaming\RxWindriver.exe"C:\Users\Admin\AppData\Roaming\RxWindriver.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\97028583\wqmvjkujg.bat"C:\Users\Admin\AppData\Local\Temp\97028583\wqmvjkujg.bat" suwbmcn.eme3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6128
-
-
-
-
C:\Users\Admin\AppData\Roaming\Netframework.exe"C:\Users\Admin\AppData\Roaming\Netframework.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\02611875\dhidhbrvsi.cmd"C:\Users\Admin\AppData\Local\Temp\02611875\dhidhbrvsi.cmd" sktfl.wts3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\97028583\WQMVJK~1.BAT C:\Users\Admin\AppData\Local\Temp\97028583\suwbmcn.eme1⤵PID:4380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\02611875\DHIDHB~1.CMD C:\Users\Admin\AppData\Local\Temp\02611875\sktfl.wts1⤵PID:5640
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD56f3aa0896874ab108c07673ff22978bd
SHA1787c20c688a551560c1119581da7bcc1aa754dad
SHA2568f3c8402a49c242cad6162f1c4f178cd7d2c7aa23bb34fea473144f2e3c438af
SHA51228e403c1373c8c282ed57a034b25a258503caf669669aaf7bd869db340be8120f910724c79ceb8a0f010a9d58cb4000e4cd932b223df69c3b7bef3194bceea34
-
Filesize
308KB
MD58296a539bec586333a216bca6dba8bbd
SHA1696098c5bde90f2fda807dd7b42a744ee55965a7
SHA256aa05bf9b4485d0cc21eb8881828136cca038ce7676bd1aa0e3df2bd60e80efc1
SHA512c31cc0466f549e42672fe4d5aa9c8a24383210a6db1e4d141678170666711b3b9dec3d9400e7c18c8e2c5710ca7d2c859597ccefd04d8b2fecd44424428585e4
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
928B
MD52f1ef11d134be7ac487121b9ed3760c4
SHA1c39445b7e188f003507945852e3c3930185d5398
SHA256e506d0a5ada059b1203342677fdbc13d62724d65fd274eedefc721b85edb8e7b
SHA51273805b81cffadc5e408d2c457a9d5d25cf0436edc53b115913ac685bfdf63e0c1f8f31d6fbb43d4635acf8dd643ca39b899c28cefe95d59b1650e49edec685ac
-
Filesize
14KB
MD53e277798b9d8f48806fbb5ebfd4990db
SHA1d1ab343c5792bc99599ec7acba506e8ba7e05969
SHA256fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c
SHA51284c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92
-
Filesize
5KB
MD5b26b412d9f1050ad53f663c972fdcd9f
SHA17bc4ed444f3f8fd14c2c36784d828175bace8c17
SHA25670c842f318f691d92e5829616a283aa9bf9dc18cea6f39bad028e176056b591a
SHA512ba350a10b41c0cfe34c502e3d0e68fbfe1489448c85a282e0a5e444fa58d0dd8be2e566e21f0734a0debfc454f08b84140964c09c4c952f6a442642c911d7b46
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
Filesize
14KB
MD54814167aa1c7ec892e84907094646faa
SHA1a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee
SHA25632dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822
SHA512fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067
-
Filesize
4KB
MD5c22c9d7b6937b8960fba4c8a145076b2
SHA12e45c2dd6e5132a942fe940dccdaf771e0f9e81e
SHA256510e466a715933499fb9d5a1753b483826b2bf89161b9d466dd2ad7e52ede2fc
SHA512b3b93fb97bc0d16ac35a1f0e877bcf42324e19d21839b025329d1b27d8e96bc9c0cbde0a8d60b23fd0c864f62e3c287461108c6abecf53ac488de1fc16b47d6e
-
Filesize
4KB
MD5d25102051b33f61c9f7fb564a4556219
SHA1c683964c11d5175171bd009cb08f87592c923f85
SHA256e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA5128828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0
-
Filesize
9KB
MD5b3070cf20db659fdfb3cb2ed38130e8d
SHA1aa234b0620bebddde1414ff6b0840d883890b413
SHA256f2c1409faf2952c1c91f4b5495158ef5c7d1a1db6eea4a18f163574bd52fcad0
SHA5124849a4cf24ea8a26cd04eb132d479cc093d4e204ed3866a77646d03778f4c128e20722a0c3cd62ea98a37deea4ce505fe632420158c71a10b0c8c5e32b38e3f1
-
Filesize
1.4MB
MD56b60dfc1c2ff57eb2a32423995c766e8
SHA1adcd8abb899c4e009216384dcf1f54ed5ba52819
SHA256b21f28cf27f33b0ef78a2b1a5040f48fe8a13e5553ee870b1a77d8aefc7aa81b
SHA5127d303c9eb3953173694ac6a87aa5dc4eeb1a21ed480a48e776dfbec5822468bcec84ccece786ab7a3483a3e4e4824462444535d23bf23e42cf67bd4a5707cb0b
-
Filesize
1.4MB
MD5d323f3245223177b63de1ecbe3f47663
SHA1ed7c2f0a5bd951b946a471cc7d5771ce6a5f61dc
SHA256f82e132f601da9270a40d268809974af7aa406a75e2fa63075a9c3fa3e35673c
SHA512c3b7a7e6b0b95e3ef3cc9766430596d812ce5844ed45c0ad016b6998aa4e7e71602cf2f4b16100aac4406bef2255f5c88354b87cc3cfbfbace50b06974ec9d79
-
Filesize
15.8MB
MD5de277032de998ff27f75e0cbfb4b7b6b
SHA19d88f2fa882e9c22a353e13387bd7f7005ade51d
SHA25647297aac91fa6670efb15c70c80e99656b3fbc5598c2e93304225bbbe6f1a266
SHA512b1cb388f356e929c8bde60770e8a0404f0c4c39b724004fd80001a5f0637e892991cc4c0a807cb8358fa0bdbe4cf9819ece0a5ab9503d0103f08d32e7e4d2514