General
-
Target
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
-
Size
904KB
-
Sample
240704-bttzgaxaqj
-
MD5
bce1d14cd2cb21d2a6a52de1b61516c6
-
SHA1
a112646015f9db212a207e1637abe3cc7bfa3408
-
SHA256
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da
-
SHA512
001f9ef1cdb0f135335e1af087e8fb1d85028f8087777cd022751e693874dffe74672ad1350f4307ba752b4eceb33f8ad85a055d11045dfc45a114d97bcc7e4e
-
SSDEEP
12288:yHqGmfjIIK49UkXDGtvxrzV9gROZh6vRciD+yz1DCSnJ8LWCdEDvhF2xX8:e0RfqtZHV9gQZsSc+yzRCSnND5F2xs
Static task
static1
Behavioral task
behavioral1
Sample
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
remcos
RemoteHost
newpage44.mywire.org:5010
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
skype.exe
-
copy_folder
skype
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GRUM7D
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
-
Size
904KB
-
MD5
bce1d14cd2cb21d2a6a52de1b61516c6
-
SHA1
a112646015f9db212a207e1637abe3cc7bfa3408
-
SHA256
5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da
-
SHA512
001f9ef1cdb0f135335e1af087e8fb1d85028f8087777cd022751e693874dffe74672ad1350f4307ba752b4eceb33f8ad85a055d11045dfc45a114d97bcc7e4e
-
SSDEEP
12288:yHqGmfjIIK49UkXDGtvxrzV9gROZh6vRciD+yz1DCSnJ8LWCdEDvhF2xX8:e0RfqtZHV9gQZsSc+yzRCSnND5F2xs
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1