bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4

Analysis

max time kernel
128s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe
Size

481KB
MD5

afd5059634526a62419420ec64bd3d73
SHA1

45fba7c55c1a7f3631f063a3db09902be00e58eb
SHA256

bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4
SHA512

032d784d2b0f606765f11c3eeef48aace205402a59fd50e323c899e59f8cd21b7daa34d870813134c7781f8eebed20a5cda9d6e9cf494aee9c5b94786940d18c
SSDEEP

12288:JRXxReZj3WZfj/2eSseWFaIe2+f8CL47bs/ZO2ZDU:Jx7cyF2eSsewS8W47eZj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1256	2592	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	89
PID 2592 wrote to memory of 1256	2592	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	89
PID 2592 wrote to memory of 1256	2592	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	89

C:\Users\Admin\AppData\Local\Temp\bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jftazwudgzkqulxh.vbs"
  2⤵
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a2a3571e1eea82aa1c2931969b6ede48

SHA1
134f10e3f7cf195d495eda5fce804fc745b7c0f2

SHA256
0c0346246f35bc5ccf74e894400bb688c778bf8148821e03177746d5fc647e6a

SHA512
3e77ea97141206b634247f961c4b1c273e4a3355322b83df3973ab47e6c3d7544f0aac7e7db3b002a79bced0997e5f2dd3f9a225981a4aa8dde6f06755e0525b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jftazwudgzkqulxh.vbs

Filesize
740B

MD5
e1f02213c17ad98db7fe76e2d9b53bd1

SHA1
54a80b453bed4d26d3ec33205af396c71ed10098

SHA256
317eff7c5697543803787a20246bc6a2f13496cb73f3e0e69511f6fc00a09dcf

SHA512
8bb12417ea23f389d82192a5663b9ffff3810d6ed5ea5cb6284c62b319d813339a3194abe72861f2a54f08ecdf42ae2e96132ff5bd657bb112a97cb360765fcc

Download Submit