Analysis
-
max time kernel
43s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 06:02
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20221111-en
General
-
Target
1.exe
-
Size
92KB
-
MD5
99e19c4a4a8a972005902bf6129867e9
-
SHA1
6f77809c678265c7beaa9bfd7f8eabffc78513e8
-
SHA256
334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
-
SHA512
e216d880e785751375a7f3c8d1f532e530e06351f146a5f39cd4de6386993f81a37abe04b4d8c4c4db596e8730e766b994fde05a417085be3afb378c2da2ebf6
-
SSDEEP
1536:FhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6:7hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+
Malware Config
Extracted
remcos
1.7 Pro
1877
hawler.duckdns.org:2404
5.206.227.115:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
svshost.exe
-
copy_folder
1877
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1877
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
1877_spelzoyulk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Google Update
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
svshost.exe1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" 1.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
1.exesvshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svshost.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
1.exesvshost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe -
Executes dropped EXE 1 IoCs
Processes:
svshost.exepid process 2044 svshost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
svshost.exe1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 1.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svshost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ svshost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
1.exesvshost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 1.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ svshost.exe -
Drops file in Windows directory 3 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\1877\svshost.exe 1.exe File opened for modification C:\Windows\1877\svshost.exe 1.exe File opened for modification C:\Windows\1877 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svshost.exepid process 2044 svshost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1.execmd.exedescription pid process target process PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 752 wrote to memory of 1100 752 1.exe cmd.exe PID 1100 wrote to memory of 1988 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1988 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1988 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1988 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 2044 1100 cmd.exe svshost.exe PID 1100 wrote to memory of 2044 1100 cmd.exe svshost.exe PID 1100 wrote to memory of 2044 1100 cmd.exe svshost.exe PID 1100 wrote to memory of 2044 1100 cmd.exe svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1988 -
C:\Windows\1877\svshost.exe"C:\Windows\1877\svshost.exe"3⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
78B
MD5f35509e5938343750502f45e998f8d0c
SHA174efa4a149f83d677bdf347149d33e0c25cb5af0
SHA256969621479c4bc68f58f32db1d20a5f389200fee6cdf30e73fe70072184f58afb
SHA512abb32f92b0dc6d76a5dd83a4d9268e321092626a5b810cbb9c96347e1b40d98ccada231b8d6ad5d5252a2e24082c88f184b201c399106248ea3de564b3483091
-
C:\Windows\1877\svshost.exeFilesize
92KB
MD599e19c4a4a8a972005902bf6129867e9
SHA16f77809c678265c7beaa9bfd7f8eabffc78513e8
SHA256334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
SHA512e216d880e785751375a7f3c8d1f532e530e06351f146a5f39cd4de6386993f81a37abe04b4d8c4c4db596e8730e766b994fde05a417085be3afb378c2da2ebf6
-
C:\Windows\1877\svshost.exeFilesize
92KB
MD599e19c4a4a8a972005902bf6129867e9
SHA16f77809c678265c7beaa9bfd7f8eabffc78513e8
SHA256334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
SHA512e216d880e785751375a7f3c8d1f532e530e06351f146a5f39cd4de6386993f81a37abe04b4d8c4c4db596e8730e766b994fde05a417085be3afb378c2da2ebf6
-
\Windows\1877\svshost.exeFilesize
92KB
MD599e19c4a4a8a972005902bf6129867e9
SHA16f77809c678265c7beaa9bfd7f8eabffc78513e8
SHA256334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
SHA512e216d880e785751375a7f3c8d1f532e530e06351f146a5f39cd4de6386993f81a37abe04b4d8c4c4db596e8730e766b994fde05a417085be3afb378c2da2ebf6
-
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1100-55-0x0000000000000000-mapping.dmp
-
memory/1988-57-0x0000000000000000-mapping.dmp
-
memory/2044-60-0x0000000000000000-mapping.dmp