Analysis
-
max time kernel
195s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:28
Behavioral task
behavioral1
Sample
864-80-0x0000000000400000-0x0000000000417000-memory.exe
Resource
win7-20220812-en
General
-
Target
864-80-0x0000000000400000-0x0000000000417000-memory.exe
-
Size
92KB
-
MD5
81decf81e0f22a06673849e16ff57b01
-
SHA1
de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb
-
SHA256
2310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13
-
SHA512
a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c
-
SSDEEP
1536:4hhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6nrA:ehzYTGWVvJ8f2v1TbPzuMsIFSHNThy+b
Malware Config
Extracted
remcos
1.7 Pro
Nov 24th
gcrozona.duckdns.org:6062
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Microsoft Intel Audios.exe
-
copy_folder
Audio Microsoft File
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Windows Display
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
Windows Audio
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Window Security Check
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Username;password;proforma;invoice;notepad
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoft Intel Audios.exepid process 1660 Microsoft Intel Audios.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
864-80-0x0000000000400000-0x0000000000417000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 864-80-0x0000000000400000-0x0000000000417000-memory.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
864-80-0x0000000000400000-0x0000000000417000-memory.exeMicrosoft Intel Audios.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\"" 864-80-0x0000000000400000-0x0000000000417000-memory.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Intel Audios.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\"" Microsoft Intel Audios.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 864-80-0x0000000000400000-0x0000000000417000-memory.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Microsoft Intel Audios.exedescription pid process target process PID 1660 set thread context of 1140 1660 Microsoft Intel Audios.exe iexplore.exe -
Drops file in Windows directory 5 IoCs
Processes:
864-80-0x0000000000400000-0x0000000000417000-memory.exeiexplore.exedescription ioc process File opened for modification C:\Windows\Audio Microsoft File 864-80-0x0000000000400000-0x0000000000417000-memory.exe File opened for modification C:\Windows\Windows Display\logs.dat iexplore.exe File created C:\Windows\Windows Display\logs.dat iexplore.exe File created C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe 864-80-0x0000000000400000-0x0000000000417000-memory.exe File opened for modification C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe 864-80-0x0000000000400000-0x0000000000417000-memory.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1140 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1140 iexplore.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
864-80-0x0000000000400000-0x0000000000417000-memory.execmd.execmd.exeMicrosoft Intel Audios.execmd.exeiexplore.execmd.exedescription pid process target process PID 4064 wrote to memory of 3464 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 4064 wrote to memory of 3464 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 4064 wrote to memory of 3464 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 3464 wrote to memory of 4832 3464 cmd.exe reg.exe PID 3464 wrote to memory of 4832 3464 cmd.exe reg.exe PID 3464 wrote to memory of 4832 3464 cmd.exe reg.exe PID 4064 wrote to memory of 3192 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 4064 wrote to memory of 3192 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 4064 wrote to memory of 3192 4064 864-80-0x0000000000400000-0x0000000000417000-memory.exe cmd.exe PID 3192 wrote to memory of 2328 3192 cmd.exe PING.EXE PID 3192 wrote to memory of 2328 3192 cmd.exe PING.EXE PID 3192 wrote to memory of 2328 3192 cmd.exe PING.EXE PID 3192 wrote to memory of 1660 3192 cmd.exe Microsoft Intel Audios.exe PID 3192 wrote to memory of 1660 3192 cmd.exe Microsoft Intel Audios.exe PID 3192 wrote to memory of 1660 3192 cmd.exe Microsoft Intel Audios.exe PID 1660 wrote to memory of 1652 1660 Microsoft Intel Audios.exe cmd.exe PID 1660 wrote to memory of 1652 1660 Microsoft Intel Audios.exe cmd.exe PID 1660 wrote to memory of 1652 1660 Microsoft Intel Audios.exe cmd.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1660 wrote to memory of 1140 1660 Microsoft Intel Audios.exe iexplore.exe PID 1652 wrote to memory of 4284 1652 cmd.exe reg.exe PID 1652 wrote to memory of 4284 1652 cmd.exe reg.exe PID 1652 wrote to memory of 4284 1652 cmd.exe reg.exe PID 1140 wrote to memory of 2564 1140 iexplore.exe cmd.exe PID 1140 wrote to memory of 2564 1140 iexplore.exe cmd.exe PID 1140 wrote to memory of 2564 1140 iexplore.exe cmd.exe PID 2564 wrote to memory of 696 2564 cmd.exe reg.exe PID 2564 wrote to memory of 696 2564 cmd.exe reg.exe PID 2564 wrote to memory of 696 2564 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\864-80-0x0000000000400000-0x0000000000417000-memory.exe"C:\Users\Admin\AppData\Local\Temp\864-80-0x0000000000400000-0x0000000000417000-memory.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2328 -
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:4284 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
PID:696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
109B
MD58ddcdd0ab01b0740982e7b78b1591015
SHA1acbb9c4bb32822a164f200f8b77eda0ce7bd758d
SHA2567c1abbf1a20f581d2db76d769cc14cf753a412cf92e383a36ffbf0c962eaf678
SHA512ef43e3cb89c800529530183d4315782a864281ef8a0e6443a54ccc4f1837fcbfe43027b399bb43ea114fab70416d49b3cb2539cf8bf658b4b447c4e8597959dc
-
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exeFilesize
92KB
MD581decf81e0f22a06673849e16ff57b01
SHA1de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb
SHA2562310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13
SHA512a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c
-
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exeFilesize
92KB
MD581decf81e0f22a06673849e16ff57b01
SHA1de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb
SHA2562310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13
SHA512a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c
-
memory/696-143-0x0000000000000000-mapping.dmp
-
memory/1652-140-0x0000000000000000-mapping.dmp
-
memory/1660-137-0x0000000000000000-mapping.dmp
-
memory/2328-136-0x0000000000000000-mapping.dmp
-
memory/2564-142-0x0000000000000000-mapping.dmp
-
memory/3192-134-0x0000000000000000-mapping.dmp
-
memory/3464-132-0x0000000000000000-mapping.dmp
-
memory/4284-141-0x0000000000000000-mapping.dmp
-
memory/4832-133-0x0000000000000000-mapping.dmp