Analysis
-
max time kernel
190s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
-
Size
1.4MB
-
MD5
fecaf29f4b5fa02b801f7dcaf13472d8
-
SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171
-
SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
-
SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e
-
SSDEEP
24576:Kg7AqlKSw+m74B/WHoUdSs/B1pfk4Nor1JbamMdGT8i:F7AxJ74BfUkQB1Vkxl0dS8
Malware Config
Extracted
remcos
UC
ucremcz1.ddns.net:1823
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
BIN.exe
-
copy_folder
BIN
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-TYHMFA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
bin
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BIN.exepid process 3132 BIN.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeSecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\"" SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\"" SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exedescription pid process target process PID 3456 set thread context of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exepid process 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exedescription pid process Token: SeDebugPrivilege 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeSecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeWScript.execmd.exedescription pid process target process PID 3456 wrote to memory of 1504 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe schtasks.exe PID 3456 wrote to memory of 1504 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe schtasks.exe PID 3456 wrote to memory of 1504 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe schtasks.exe PID 3456 wrote to memory of 816 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 816 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 816 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 3456 wrote to memory of 2136 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe PID 2136 wrote to memory of 3896 2136 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe WScript.exe PID 2136 wrote to memory of 3896 2136 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe WScript.exe PID 2136 wrote to memory of 3896 2136 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe WScript.exe PID 3896 wrote to memory of 1336 3896 WScript.exe cmd.exe PID 3896 wrote to memory of 1336 3896 WScript.exe cmd.exe PID 3896 wrote to memory of 1336 3896 WScript.exe cmd.exe PID 1336 wrote to memory of 3132 1336 cmd.exe BIN.exe PID 1336 wrote to memory of 3132 1336 cmd.exe BIN.exe PID 1336 wrote to memory of 3132 1336 cmd.exe BIN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LASJvAOXx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"{path}"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\BIN\BIN.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BIN\BIN.exeC:\Users\Admin\AppData\Roaming\BIN\BIN.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
406B
MD56635e7fa26b296a61475e4fc7fa2033b
SHA129ae9f05ce79a4239df1fa3f4a0426d1af269678
SHA2561ed12f7480bbdc0450b1385ebb3559eb8369f69508f314bf2b31f3b399179b31
SHA5127ae5d38eeb8c865033fda364f40f14c96e00bd45b4dac47c48bc9303b822dfb9a547bebc973ea6b96e9e1937affea541ba17689da6c6fe3462ea22e4b2bd868e
-
C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmpFilesize
1KB
MD589ff55dc654420718adbfebddf17f6a0
SHA1c1f1b3975e45b3a4e12bdb0b96c163895093524b
SHA2564ce27a9cfc0cbe0c7e52a09b5e9d2263e119b8bfc1703c97aa3832013e41a719
SHA5127b3e173095244163f66bcac277dbb56ec694b0c1379823570e4b90e3c8a45b284ebbdeded49e33a33cd087b7bbd4c630ba27632b631b9f82603cf19eb266c2f8
-
C:\Users\Admin\AppData\Roaming\BIN\BIN.exeFilesize
1.4MB
MD5fecaf29f4b5fa02b801f7dcaf13472d8
SHA1ed394790fbd6c2adb6db9f4dc44d54dd85cc4171
SHA256f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
SHA512993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e
-
C:\Users\Admin\AppData\Roaming\BIN\BIN.exeFilesize
1.4MB
MD5fecaf29f4b5fa02b801f7dcaf13472d8
SHA1ed394790fbd6c2adb6db9f4dc44d54dd85cc4171
SHA256f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
SHA512993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e
-
memory/816-139-0x0000000000000000-mapping.dmp
-
memory/1336-147-0x0000000000000000-mapping.dmp
-
memory/1504-137-0x0000000000000000-mapping.dmp
-
memory/2136-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2136-140-0x0000000000000000-mapping.dmp
-
memory/2136-145-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2136-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2136-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3132-148-0x0000000000000000-mapping.dmp
-
memory/3456-136-0x0000000005AF0000-0x0000000005AFA000-memory.dmpFilesize
40KB
-
memory/3456-132-0x0000000000FE0000-0x0000000001148000-memory.dmpFilesize
1.4MB
-
memory/3456-135-0x0000000005BE0000-0x0000000005C7C000-memory.dmpFilesize
624KB
-
memory/3456-134-0x0000000005B40000-0x0000000005BD2000-memory.dmpFilesize
584KB
-
memory/3456-133-0x0000000006050000-0x00000000065F4000-memory.dmpFilesize
5.6MB
-
memory/3896-144-0x0000000000000000-mapping.dmp