Analysis
-
max time kernel
173s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
-
Size
10KB
-
MD5
c4356d6506fed06bf83324222896e64f
-
SHA1
3932ecf0b9ae7e144180ae357cc72f05b2bb1963
-
SHA256
1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
-
SHA512
d68f76f09183e84c729cb1f7f4d090dedf387925d7cfd80e369a89d17a13b488fb0c9fc10620da3f5d39cbad73d9ff8ac0bbefa79981f7693abe925d6b786e53
-
SSDEEP
192:ujGVmR2TsJcAALF+9kseWgN0l4TKmF8stYcFmVc03KY:uikRvJczLF+9ksxgfTKmFptYcFmVc03K
Malware Config
Extracted
remcos
Remote
79.110.62.46:50499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
windowss
-
mouse_option
false
-
mutex
fg4wer4s5trgfqewdc-WR9LLO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gbmevjs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fjkatm\\Gbmevjs.exe\"" SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription pid process target process PID 2004 set thread context of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 948 powershell.exe 580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeSecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepowershell.exedescription pid process Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe Token: SeDebugPrivilege 580 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepid process 1960 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription pid process target process PID 2004 wrote to memory of 948 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 948 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 948 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 948 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 580 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 580 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 580 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 580 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 2004 wrote to memory of 1960 2004 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD524da30f6bf70a1bc986263b03b9cb22e
SHA1a2c6a0aea57ea5f70a1b64788180a227b8028397
SHA256bc069348fff0bbe1d6f160e0bc87ce805854c80fcebfc507606d664017d92e65
SHA5129d0778f88e9e464945a17ebdbbb25bc2ec63f8cdd8e8152d15589fe690ec3d5001735c9734bcb32686d081a00beee115448c70a2a5dce7ee3d3b23f2dab2af66
-
memory/580-64-0x000000006F0C0000-0x000000006F66B000-memory.dmpFilesize
5.7MB
-
memory/580-65-0x000000006F0C0000-0x000000006F66B000-memory.dmpFilesize
5.7MB
-
memory/580-61-0x0000000000000000-mapping.dmp
-
memory/948-55-0x0000000000000000-mapping.dmp
-
memory/948-56-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/948-58-0x000000006FEC0000-0x000000007046B000-memory.dmpFilesize
5.7MB
-
memory/948-59-0x000000006FEC0000-0x000000007046B000-memory.dmpFilesize
5.7MB
-
memory/1960-74-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-78-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-66-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-67-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-69-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-71-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-76-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-84-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-73-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-72-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-83-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1960-79-0x00000000004327A4-mapping.dmp
-
memory/1960-82-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2004-60-0x0000000007370000-0x00000000075AA000-memory.dmpFilesize
2.2MB
-
memory/2004-54-0x0000000000060000-0x0000000000068000-memory.dmpFilesize
32KB