Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2022 19:52
Behavioral task
behavioral1
Sample
RtJT2FrE.exe
Resource
win7-20220718-en
General
-
Target
RtJT2FrE.exe
-
Size
128KB
-
MD5
648e9dc18a8bd5dda03ca12f4f2768e7
-
SHA1
efaefb940f47210dd0a3e9483aede0d9d5ce8a52
-
SHA256
e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
-
SHA512
6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
Malware Config
Extracted
remcos
2.5.0 Pro
system
213.152.161.40:8733
109.202.103.170:8733
213.152.162.89:8733
213.152.162.109:8733
213.152.161.239:8733
213.152.162.69:8733
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
sys.exe
-
copy_folder
sys
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
system-UQU82S
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%WinDir%\System32
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
https://online.mbank.pl/pl/Login;https://login.ingbank.pl/mojeing/app/#login;https://www.pekao24.pl/;https://online.santanderconsumer.pl/Authentication/;https://orangefinanse.com.pl/or/Login;https://login.aliorbank.pl/;https://www.ipko.pl/;https://secure.getinbank.pl/#index/index;https://www.bankmillennium.pl/logowanie;https://www.ideabank.pl/logowanie;https://www.bosbank.pl/#;https://www.bankbps.pl/;https://plusbank24.pl/;https://www.citibankonline.pl/apps/auth/signin/;https://e-bank.credit-agricole.pl/;https://moj.raiffeisenpolbank.com/;https://login.bgzbnpparibas.pl/login/Redirect?SAMLRequest=fZDBTsMwDIZfpcp9bdoG2lltpQouk%2BDCEPe09bZKbRJiB008PWET0uDA0fb3%2FZbdkF4XB33gk3nB94DEyXldDMFl0IrgDVhNM4HRKxLwCPv%2B%2BQmKVILzlu1oF3Gj%2FG9oIvQ8WyOS3WMryvupVnlZTbqUoyoHuVWYq8MW1aEqsFQieUNPEW9FtKNDFHBniLXh2JJ5vZHbTSFf8wLyCu5qkfQ%2FGx6sobCi36P%2FmMdoTXhuRQzpmf08BMYrMZvjX6Rrvi%2BByzbfnZgdZJlbtEFOh%2BPnYJzTMUJT6pYmu2Wv1e9%2Fdl8%3D;https://konto.toyotabank.pl/auth/login.jsp;https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie;https://www.deutschebank.pl/;https://www.pocztowy.pl/;https://www.t-mobilebankowe.pl/;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
iexplore.exeRtJT2FrE.exesys.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
iexplore.exeRtJT2FrE.exesys.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
sys.exepid process 4556 sys.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RtJT2FrE.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation RtJT2FrE.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
RtJT2FrE.exesys.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run\ sys.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ RtJT2FrE.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RtJT2FrE.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
sys.exeRtJT2FrE.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ sys.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ RtJT2FrE.exe -
Drops file in System32 directory 5 IoCs
Processes:
RtJT2FrE.exeiexplore.exedescription ioc process File created C:\Windows\SysWOW64\sys\sys.exe RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\sys\sys.exe RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\sys RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\system\logs.dat iexplore.exe File created C:\Windows\SysWOW64\system\logs.dat iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sys.exeiexplore.exedescription pid process target process PID 4556 set thread context of 1384 4556 sys.exe iexplore.exe PID 1384 set thread context of 4928 1384 iexplore.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
RtJT2FrE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings RtJT2FrE.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sys.exepid process 4556 sys.exe 4556 sys.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1384 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1384 iexplore.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
RtJT2FrE.execmd.exeWScript.execmd.exesys.execmd.exeiexplore.execmd.exedescription pid process target process PID 4788 wrote to memory of 1776 4788 RtJT2FrE.exe cmd.exe PID 4788 wrote to memory of 1776 4788 RtJT2FrE.exe cmd.exe PID 4788 wrote to memory of 1776 4788 RtJT2FrE.exe cmd.exe PID 1776 wrote to memory of 1112 1776 cmd.exe reg.exe PID 1776 wrote to memory of 1112 1776 cmd.exe reg.exe PID 1776 wrote to memory of 1112 1776 cmd.exe reg.exe PID 4788 wrote to memory of 3748 4788 RtJT2FrE.exe WScript.exe PID 4788 wrote to memory of 3748 4788 RtJT2FrE.exe WScript.exe PID 4788 wrote to memory of 3748 4788 RtJT2FrE.exe WScript.exe PID 3748 wrote to memory of 2292 3748 WScript.exe cmd.exe PID 3748 wrote to memory of 2292 3748 WScript.exe cmd.exe PID 3748 wrote to memory of 2292 3748 WScript.exe cmd.exe PID 2292 wrote to memory of 4556 2292 cmd.exe sys.exe PID 2292 wrote to memory of 4556 2292 cmd.exe sys.exe PID 2292 wrote to memory of 4556 2292 cmd.exe sys.exe PID 4556 wrote to memory of 832 4556 sys.exe cmd.exe PID 4556 wrote to memory of 832 4556 sys.exe cmd.exe PID 4556 wrote to memory of 832 4556 sys.exe cmd.exe PID 832 wrote to memory of 3396 832 cmd.exe reg.exe PID 832 wrote to memory of 3396 832 cmd.exe reg.exe PID 832 wrote to memory of 3396 832 cmd.exe reg.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 4556 wrote to memory of 1384 4556 sys.exe iexplore.exe PID 1384 wrote to memory of 3920 1384 iexplore.exe cmd.exe PID 1384 wrote to memory of 3920 1384 iexplore.exe cmd.exe PID 1384 wrote to memory of 3920 1384 iexplore.exe cmd.exe PID 3920 wrote to memory of 524 3920 cmd.exe reg.exe PID 3920 wrote to memory of 524 3920 cmd.exe reg.exe PID 3920 wrote to memory of 524 3920 cmd.exe reg.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe PID 1384 wrote to memory of 4928 1384 iexplore.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\sys\sys.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sys\sys.exeC:\Windows\SysWOW64\sys\sys.exe4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
384B
MD5662f40cdb9d6399685c73db8fa6af55c
SHA1b4843af100dd7d5789d192982aaf7bc84972f781
SHA256fa133903e470717684b46478695d90b7832ce468da7eebfd468cd51dcd244280
SHA512bdd9a4dbc7fb1e7b2fce423dcd4d2cabe4a5027f12699d4caf9260304bd403c1099265c12975bac4bae2745a1f3d3804e184b35f5756f2aa5321f0cc109c3d0b
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
memory/524-143-0x0000000000000000-mapping.dmp
-
memory/832-140-0x0000000000000000-mapping.dmp
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/1776-132-0x0000000000000000-mapping.dmp
-
memory/2292-136-0x0000000000000000-mapping.dmp
-
memory/3396-141-0x0000000000000000-mapping.dmp
-
memory/3748-134-0x0000000000000000-mapping.dmp
-
memory/3920-142-0x0000000000000000-mapping.dmp
-
memory/4556-137-0x0000000000000000-mapping.dmp
-
memory/4928-144-0x0000000000000000-mapping.dmp
-
memory/4928-145-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4928-147-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4928-148-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB