Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 13:58
Static task
static1
Behavioral task
behavioral1
Sample
INVB0987678000090000.BAT.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
INVB0987678000090000.BAT.exe
Resource
win10v2004-20231130-en
General
-
Target
INVB0987678000090000.BAT.exe
-
Size
904KB
-
MD5
4b08b3e2d346591d2f805256c63a8875
-
SHA1
8fb4067bf05ffeb0c16b9ac9ea38507889ca07b0
-
SHA256
f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
-
SHA512
ece878beb8a207d08a8978f1978548e7f32c1ec6ca36647aa5549b99fcc587bc2e79f999e5dd6f3d32f1f8370ccff98f588e03baa1a8bcba3201ae997f71ace3
-
SSDEEP
24576:7pItSAdsBeO/ECXs95roy+qdi3E4RPrgjizt:9tpekEGs9DdEkjiz
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/100-6-0x0000000005690000-0x00000000056A8000-memory.dmp family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INVB0987678000090000.BAT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation INVB0987678000090000.BAT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVB0987678000090000.BAT.exedescription pid process target process PID 100 set thread context of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeINVB0987678000090000.BAT.exepowershell.exepid process 2936 powershell.exe 100 INVB0987678000090000.BAT.exe 100 INVB0987678000090000.BAT.exe 3120 powershell.exe 3120 powershell.exe 2936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeINVB0987678000090000.BAT.exedescription pid process Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 100 INVB0987678000090000.BAT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INVB0987678000090000.BAT.exepid process 3472 INVB0987678000090000.BAT.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INVB0987678000090000.BAT.exedescription pid process target process PID 100 wrote to memory of 2936 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 2936 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 2936 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 3120 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 3120 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 3120 100 INVB0987678000090000.BAT.exe powershell.exe PID 100 wrote to memory of 380 100 INVB0987678000090000.BAT.exe schtasks.exe PID 100 wrote to memory of 380 100 INVB0987678000090000.BAT.exe schtasks.exe PID 100 wrote to memory of 380 100 INVB0987678000090000.BAT.exe schtasks.exe PID 100 wrote to memory of 4460 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 4460 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 4460 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe PID 100 wrote to memory of 3472 100 INVB0987678000090000.BAT.exe INVB0987678000090000.BAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\okDinu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\okDinu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp"2⤵
- Creates scheduled task(s)
PID:380 -
C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"C:\Users\Admin\AppData\Local\Temp\INVB0987678000090000.BAT.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5402960a28ecb79f06df74a370a0b2f53
SHA13fa06dcbf89ce95a9ccfb7bb2372e168bbde7385
SHA256b2cd9ce67f526e3ba0fee5f9f490e724e3a2ec178fdda31866e478ff630973be
SHA5127ace2daaedd3ab51e52302cd3800fd0baf609e241e2ab88156f02657223f9d6e3c947472c425de10e820d3f053095e057a555062aee6bd48f7506230d1825b37
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD591fabf24f636f42dbd908b7671f7997f
SHA16a73a304358db7405ef97cf511352802f0f8c68b
SHA2560500cee8da46e1a89641dbda7ccdcfb7a9d31bbe7a5ad995632e203d80bae835
SHA512e235f393994a2177456a7052f08d25903d487d26fbc9eb4e13fedeabc634acf4e4ce2c36be8fb40a658b33d2c7f265e34b1121cc625a520b28aff261d773698b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD573bb88b086f7dfa86458d4a0f5aeab76
SHA19c08cd06c912b07bed4361a007f85a5e431ef25c
SHA25637f1ad946c02883f54fac44c0dc0a5841e9ab1e84234fcaf454ba87637405247
SHA512236866ff02f45d91fe54bf07863a7ea4528ad8fbfe4a9ca0fd1cc7413b2cf8a9d081b6046991c640aa66ed3a850ae0100a961d37fd3f1d643bf0894cdc0015a7