Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 11:23
Behavioral task
behavioral1
Sample
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe
Resource
win10v2004-20231215-en
General
-
Target
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe
-
Size
92KB
-
MD5
b9bb1c480c1846c1ab8d8a80641f601e
-
SHA1
6c00fcb947e69893d368ff3a3353a75840a45d41
-
SHA256
6260ea5e3859eb49798e72ed358f78ddefbb52fdda33582546f540148c05ae80
-
SHA512
171a6a6c11ba32bdf1d9461e0be1606b968014987a08de4d3421e899f225bfa73c2c136e833c5ccc18b6dc2a3d762c27cc34f25399071f069d3a5e7a58e7eeb8
-
SSDEEP
1536:yhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESnNTh91e63WfmTr:shzYTGWVvJ8f2v1TbPzuMsIFSnNTh3Lx
Malware Config
Extracted
remcos
1.7 Pro
1877
hawler.duckdns.org:2404
5.206.227.115:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
svshost.exe
-
copy_folder
1877
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1877
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
1877_spelzoyulk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Google Update
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exesvshost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\1877\\svshost.exe\"" svshost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exesvshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svshost.exe -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2924-0-0x0000000000400000-0x0000000000417000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer C:\Windows\1877\svshost.exe INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/2688-16-0x0000000000400000-0x0000000000417000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exesvshost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe -
Executes dropped EXE 1 IoCs
Processes:
svshost.exepid process 2688 svshost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2028 cmd.exe 2028 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exesvshost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Windows\\1877\\svshost.exe\"" svshost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exesvshost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ svshost.exe -
Drops file in Windows directory 3 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exedescription ioc process File created C:\Windows\1877\svshost.exe 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe File opened for modification C:\Windows\1877\svshost.exe 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe File opened for modification C:\Windows\1877 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svshost.exepid process 2688 svshost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.execmd.exedescription pid process target process PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2924 wrote to memory of 2028 2924 683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe cmd.exe PID 2028 wrote to memory of 2296 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 2296 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 2296 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 2296 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 2688 2028 cmd.exe svshost.exe PID 2028 wrote to memory of 2688 2028 cmd.exe svshost.exe PID 2028 wrote to memory of 2688 2028 cmd.exe svshost.exe PID 2028 wrote to memory of 2688 2028 cmd.exe svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe"C:\Users\Admin\AppData\Local\Temp\683fa1e449da9b71d0cafefb107efd97f0f8163f844dd837d12c354c2b901b93.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\1877\svshost.exe"C:\Windows\1877\svshost.exe"3⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
78B
MD5f35509e5938343750502f45e998f8d0c
SHA174efa4a149f83d677bdf347149d33e0c25cb5af0
SHA256969621479c4bc68f58f32db1d20a5f389200fee6cdf30e73fe70072184f58afb
SHA512abb32f92b0dc6d76a5dd83a4d9268e321092626a5b810cbb9c96347e1b40d98ccada231b8d6ad5d5252a2e24082c88f184b201c399106248ea3de564b3483091
-
C:\Windows\1877\svshost.exeFilesize
92KB
MD5b9bb1c480c1846c1ab8d8a80641f601e
SHA16c00fcb947e69893d368ff3a3353a75840a45d41
SHA2566260ea5e3859eb49798e72ed358f78ddefbb52fdda33582546f540148c05ae80
SHA512171a6a6c11ba32bdf1d9461e0be1606b968014987a08de4d3421e899f225bfa73c2c136e833c5ccc18b6dc2a3d762c27cc34f25399071f069d3a5e7a58e7eeb8
-
memory/2688-16-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2924-0-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB