Analysis
-
max time kernel
165s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:16
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
General
-
Target
1.exe
-
Size
2.9MB
-
MD5
110bc33bdd915c5738f427019eaacf53
-
SHA1
089e1d1676bc0d99bbd8233c4673a2abd3e389b8
-
SHA256
da250da3b237fd0acf29d52066c84d56da4f92e5e854c71b5d6a4d7b121dae9c
-
SHA512
5960838f53dfc3e9b31d829c6fd1a4d36b3e36d63339fdc73ae70d1fe2c6ee55776e8e7053b5ad06330ed09cbbd07caf606b643469b1d0890dfb81c7477b70a3
Malware Config
Extracted
remcos
RH1
185.29.9.125:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
itunes.exe
-
copy_folder
RMS
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Jd1985-XODZWD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Rms
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
itunes.exe1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ itunes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Executes dropped EXE 1 IoCs
Processes:
itunes.exepid process 4364 itunes.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exeitunes.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion itunes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion itunes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Processes:
resource yara_rule behavioral2/memory/4952-130-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-131-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-132-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-133-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-135-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-136-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-137-0x0000000000E10000-0x0000000001548000-memory.dmp themida behavioral2/memory/4952-142-0x0000000000E10000-0x0000000001548000-memory.dmp themida C:\Users\Admin\AppData\Roaming\RMS\itunes.exe themida C:\Users\Admin\AppData\Roaming\RMS\itunes.exe themida behavioral2/memory/4364-148-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-149-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-150-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-151-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-152-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-153-0x0000000000FD0000-0x0000000001708000-memory.dmp themida behavioral2/memory/4364-158-0x0000000000FD0000-0x0000000001708000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
1.exeitunes.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rms = "\"C:\\Users\\Admin\\AppData\\Roaming\\RMS\\itunes.exe\"" 1.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\ itunes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rms = "\"C:\\Users\\Admin\\AppData\\Roaming\\RMS\\itunes.exe\"" itunes.exe -
Processes:
1.exeitunes.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA itunes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1.exeitunes.exepid process 4952 1.exe 4364 itunes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 1.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1.execmd.exeWScript.execmd.exeitunes.execmd.exedescription pid process target process PID 4952 wrote to memory of 792 4952 1.exe cmd.exe PID 4952 wrote to memory of 792 4952 1.exe cmd.exe PID 4952 wrote to memory of 792 4952 1.exe cmd.exe PID 792 wrote to memory of 4616 792 cmd.exe reg.exe PID 792 wrote to memory of 4616 792 cmd.exe reg.exe PID 792 wrote to memory of 4616 792 cmd.exe reg.exe PID 4952 wrote to memory of 4996 4952 1.exe WScript.exe PID 4952 wrote to memory of 4996 4952 1.exe WScript.exe PID 4952 wrote to memory of 4996 4952 1.exe WScript.exe PID 4996 wrote to memory of 928 4996 WScript.exe cmd.exe PID 4996 wrote to memory of 928 4996 WScript.exe cmd.exe PID 4996 wrote to memory of 928 4996 WScript.exe cmd.exe PID 928 wrote to memory of 4364 928 cmd.exe itunes.exe PID 928 wrote to memory of 4364 928 cmd.exe itunes.exe PID 928 wrote to memory of 4364 928 cmd.exe itunes.exe PID 4364 wrote to memory of 3528 4364 itunes.exe cmd.exe PID 4364 wrote to memory of 3528 4364 itunes.exe cmd.exe PID 4364 wrote to memory of 3528 4364 itunes.exe cmd.exe PID 4364 wrote to memory of 216 4364 itunes.exe svchost.exe PID 4364 wrote to memory of 216 4364 itunes.exe svchost.exe PID 4364 wrote to memory of 216 4364 itunes.exe svchost.exe PID 3528 wrote to memory of 3056 3528 cmd.exe reg.exe PID 3528 wrote to memory of 3056 3528 cmd.exe reg.exe PID 3528 wrote to memory of 3056 3528 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RMS\itunes.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS\itunes.exeC:\Users\Admin\AppData\Roaming\RMS\itunes.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
526B
MD5ab532e461407511c17d0f35bbfff4d82
SHA1f8de7084afa41be17da464d173cdb5bc46f6c8cc
SHA256d0076f2edab5329c977a0fc76907ff135a0f375daf4ebe478b89e64c8444c60f
SHA5121c5284c0be6c37d88a34d96ec7ed26381ceab6b9fb1386e2317d0b86a2eae51f30a079b4408a1ebcaa5dc7913d561e49b9efd70e3471fb1a471a6155590fe000
-
C:\Users\Admin\AppData\Roaming\RMS\itunes.exeFilesize
2.9MB
MD5110bc33bdd915c5738f427019eaacf53
SHA1089e1d1676bc0d99bbd8233c4673a2abd3e389b8
SHA256da250da3b237fd0acf29d52066c84d56da4f92e5e854c71b5d6a4d7b121dae9c
SHA5125960838f53dfc3e9b31d829c6fd1a4d36b3e36d63339fdc73ae70d1fe2c6ee55776e8e7053b5ad06330ed09cbbd07caf606b643469b1d0890dfb81c7477b70a3
-
C:\Users\Admin\AppData\Roaming\RMS\itunes.exeFilesize
2.9MB
MD5110bc33bdd915c5738f427019eaacf53
SHA1089e1d1676bc0d99bbd8233c4673a2abd3e389b8
SHA256da250da3b237fd0acf29d52066c84d56da4f92e5e854c71b5d6a4d7b121dae9c
SHA5125960838f53dfc3e9b31d829c6fd1a4d36b3e36d63339fdc73ae70d1fe2c6ee55776e8e7053b5ad06330ed09cbbd07caf606b643469b1d0890dfb81c7477b70a3
-
memory/216-156-0x0000000000000000-mapping.dmp
-
memory/792-138-0x0000000000000000-mapping.dmp
-
memory/928-144-0x0000000000000000-mapping.dmp
-
memory/3056-157-0x0000000000000000-mapping.dmp
-
memory/3528-154-0x0000000000000000-mapping.dmp
-
memory/4364-151-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-149-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-159-0x0000000077DD0000-0x0000000077F73000-memory.dmpFilesize
1.6MB
-
memory/4364-158-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-153-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-155-0x0000000077DD0000-0x0000000077F73000-memory.dmpFilesize
1.6MB
-
memory/4364-145-0x0000000000000000-mapping.dmp
-
memory/4364-152-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-150-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4364-148-0x0000000000FD0000-0x0000000001708000-memory.dmpFilesize
7.2MB
-
memory/4616-139-0x0000000000000000-mapping.dmp
-
memory/4952-136-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-134-0x0000000077DD0000-0x0000000077F73000-memory.dmpFilesize
1.6MB
-
memory/4952-130-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-135-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-137-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-133-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-132-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-142-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-131-0x0000000000E10000-0x0000000001548000-memory.dmpFilesize
7.2MB
-
memory/4952-141-0x0000000077DD0000-0x0000000077F73000-memory.dmpFilesize
1.6MB
-
memory/4996-140-0x0000000000000000-mapping.dmp