Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2023 15:19
General
-
Target
1.exe
-
Size
36KB
-
MD5
955254331ec1b57550742ed9b353b00f
-
SHA1
3a00c062489de5371742bc5eca43ae8ec32affac
-
SHA256
e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
-
SHA512
5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
-
SSDEEP
768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer
Malware Config
Extracted
remcos
1.7 Pro
1877
hawler.duckdns.org:2404
5.206.227.115:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
svshost.exe
-
copy_folder
1877
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1877
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
1877_spelzoyulk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Google Update
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
svshost.exe1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
1.exesvshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svshost.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
1.exesvshost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 1 IoCs
Processes:
svshost.exepid process 1444 svshost.exe -
Processes:
resource yara_rule behavioral1/memory/5056-132-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/5056-134-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Windows\1877\svshost.exe upx C:\Windows\1877\svshost.exe upx behavioral1/memory/1444-140-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
svshost.exe1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svshost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
svshost.exe1.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ svshost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 1.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2884 2988 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svshost.exedescription pid process target process PID 1444 set thread context of 2988 1444 svshost.exe iexplore.exe -
Drops file in Windows directory 3 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\1877\svshost.exe 1.exe File opened for modification C:\Windows\1877\svshost.exe 1.exe File opened for modification C:\Windows\1877 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
1.execmd.exesvshost.exedescription pid process target process PID 5056 wrote to memory of 1088 5056 1.exe cmd.exe PID 5056 wrote to memory of 1088 5056 1.exe cmd.exe PID 5056 wrote to memory of 1088 5056 1.exe cmd.exe PID 1088 wrote to memory of 4708 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 4708 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 4708 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1444 1088 cmd.exe svshost.exe PID 1088 wrote to memory of 1444 1088 cmd.exe svshost.exe PID 1088 wrote to memory of 1444 1088 cmd.exe svshost.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe PID 1444 wrote to memory of 2988 1444 svshost.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\1877\svshost.exe"C:\Windows\1877\svshost.exe"3⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 2365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2988 -ip 29881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
78B
MD5f35509e5938343750502f45e998f8d0c
SHA174efa4a149f83d677bdf347149d33e0c25cb5af0
SHA256969621479c4bc68f58f32db1d20a5f389200fee6cdf30e73fe70072184f58afb
SHA512abb32f92b0dc6d76a5dd83a4d9268e321092626a5b810cbb9c96347e1b40d98ccada231b8d6ad5d5252a2e24082c88f184b201c399106248ea3de564b3483091
-
C:\Windows\1877\svshost.exeFilesize
36KB
MD5955254331ec1b57550742ed9b353b00f
SHA13a00c062489de5371742bc5eca43ae8ec32affac
SHA256e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
SHA5125e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
-
C:\Windows\1877\svshost.exeFilesize
36KB
MD5955254331ec1b57550742ed9b353b00f
SHA13a00c062489de5371742bc5eca43ae8ec32affac
SHA256e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
SHA5125e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
-
memory/1088-133-0x0000000000000000-mapping.dmp
-
memory/1444-137-0x0000000000000000-mapping.dmp
-
memory/1444-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4708-136-0x0000000000000000-mapping.dmp
-
memory/5056-132-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5056-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB