Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Arbitrational/Popgunnery/Bibliotekskredses/sknlitteraturer.oth
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Arbitrational/Popgunnery/Bibliotekskredses/sknlitteraturer.oth
Resource
win10v2004-20240508-en
General
-
Target
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
-
Size
748KB
-
MD5
1a047b9b776d41ec61cc91286c27be07
-
SHA1
42f4eb3e00d258e61cf98a125d025692ac68c88a
-
SHA256
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68
-
SHA512
58f8c02e634ca82fc95472d29e49931c15edaad03a0a81d672b72e817037a5b3419e25a0f97bef7c7f5c7d681a67e2416f3b7744656bc8ab62ce474d36d96b46
-
SSDEEP
12288:93VEnc1eUjaXZzl3azhfy4hamcUWQn3MN0KyBHyeFGjEvJ1EodxB4LP:93V3eUjaXZp3az1yUaZUXc6fBS2GjEvC
Malware Config
Extracted
remcos
thurssday
191.101.130.177:6903
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HCF7F5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1692 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Powershell.exewab.exepid process 280 Powershell.exe 1692 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 280 set thread context of 1692 280 Powershell.exe wab.exe -
Drops file in Program Files directory 2 IoCs
Processes:
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\evighedsblomstens\ablations.kon d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe File opened for modification C:\Program Files (x86)\Common Files\advisers\inkonvertibelt.beg d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe -
Drops file in Windows directory 1 IoCs
Processes:
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exedescription ioc process File opened for modification C:\Windows\resources\0409\skimlernes\towy.Erh d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Powershell.exepid process 280 Powershell.exe 280 Powershell.exe 280 Powershell.exe 280 Powershell.exe 280 Powershell.exe 280 Powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Powershell.exepid process 280 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 280 Powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 1692 wab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exePowershell.exedescription pid process target process PID 1756 wrote to memory of 280 1756 d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe Powershell.exe PID 1756 wrote to memory of 280 1756 d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe Powershell.exe PID 1756 wrote to memory of 280 1756 d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe Powershell.exe PID 1756 wrote to memory of 280 1756 d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe Powershell.exe PID 280 wrote to memory of 1144 280 Powershell.exe cmd.exe PID 280 wrote to memory of 1144 280 Powershell.exe cmd.exe PID 280 wrote to memory of 1144 280 Powershell.exe cmd.exe PID 280 wrote to memory of 1144 280 Powershell.exe cmd.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe PID 280 wrote to memory of 1692 280 Powershell.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe"C:\Users\Admin\AppData\Local\Temp\d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -windowstyle minimized "$Pekingeseres = Get-Content 'C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Drearisomely\Lyrerne.Kon' ; $Termitboernes=$Pekingeseres.SubString(33230,3);.$Termitboernes($Pekingeseres) "2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
124B
MD597bd502922c9e889a745fbdcd22a598f
SHA1b21e75e294090d0774bb72b5a9ee24cd287d055b
SHA2562debdd0d3d927b9e0aa7712241d89bfdc738c903cb9281fcf3ee03d3e97eaa62
SHA512053ee023662374c3a6bc11b85be9fee3cc5b092e9d2163c28de019bbdbe8907fd84cf9ff81b6dd4574379eb7fd67b2051b1417c49bfb00a577908b40e8c0c4ac
-
C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Drearisomely\Lyrerne.KonFilesize
68KB
MD505605fca856618040d6e4dee40b204e1
SHA12d5850037b0866baa7bb00d2769ac6fe48810f49
SHA25641347df2bd28b3131bf72efbf3756e4da12d0f45b4bee1b82f59c77e764e3197
SHA512f3496876a0f2b6110dc900ff388456760281bf09d751b41c03c82915a489a541527f4ab1bafb6e509b0cf03cf7f53f51dec3e2229245934d35ec6ca91e4094ee
-
C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Tilbagelagtes.BonFilesize
466KB
MD582bedb3c6b94b289be412ce6bc85a7ca
SHA1c8fdac5f88ab0787abbef825e51861d4336aa695
SHA256a536c0012e6d7386f2e303df21f131534636f8f67935296a72fb803634752db8
SHA51296cde71dfcd7ed562ced7abd1eb7185c8c82fcf10c1e733b2a67bfb4159a69d68426077ea2c62591e387929af35c59e9cb551608d1154739c911e4f9a0ba18bb
-
C:\Users\Admin\Desktop\Bankfuldmgtigens.iniFilesize
41B
MD57bb29932647c76ded34eca4b0c9ca1cc
SHA172501f63fb797f40d4dfced19a71a9e8fa07b1e9
SHA256bec9b6e4f50edbff25fda72fb7c760c9f9bc8fee0076c7e7414b7942a84f6ca2
SHA51246341f7c768f23a86932ec521425c7dd7d14f68c71eac02ba897263899568440057075e95779bf1ec681bbb2e58b7e6ef057e7239b794819373c71efb4236a3d
-
memory/280-240-0x00000000066C0000-0x000000000B0B1000-memory.dmpFilesize
73.9MB
-
memory/1692-247-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-283-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-271-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-263-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-274-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-277-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-280-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-268-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-286-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-289-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-292-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-295-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-298-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB
-
memory/1692-301-0x0000000000B90000-0x0000000001BF2000-memory.dmpFilesize
16.4MB