Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
12-03-2024 03:20
General
-
Target
f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
-
Size
2.5MB
-
MD5
411c2e3611e8ee701918cfe17399da79
-
SHA1
a01d2ceb1b9d0e002eb67a00fbac9238285dce85
-
SHA256
f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04
-
SHA512
c68a62e0342cdaaa23a8ad385551dff3d7f60e34c28c63797ef8d5969e714df6b0f7fa66a8904aaf65c034c26860f21453434e8678a48d149b2137054ee57b50
-
SSDEEP
49152:YBO8QRm2I9bC9hY8PU5sevK7F6wd0HL5xRpMrpaKE9eFodKe/HT0:Y88QRmVluhnPyhyx30HlUpaKpodtHT0
Malware Config
Extracted
xworm
3.1
gamemodz.duckdns.org:7000
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
remcos
RemoteHost
gamemodz.duckdns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sysupdate.exe
-
copy_folder
sysupdate
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FEY33U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Detect Xworm Payload 1 IoCs
-
Detect ZGRat V1 34 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 4 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
-
Detects command variations typically used by ransomware 2 IoCs
-
Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Drops desktop.ini file(s) 34 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sysupdate.exe"C:\Users\Admin\AppData\Local\Temp\sysupdate.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\sysupdate\sysupdate.exe"C:\ProgramData\sysupdate\sysupdate.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://i.imgflip.com/1p7cdj.jpg5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9287046f8,0x7ff928704708,0x7ff9287047186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:16⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\shout.exe"C:\Users\Admin\AppData\Local\Temp\shout.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt7⤵
- Opens file in notepad (likely ransom note)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exeC:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD5ef1b4e3bfd6facbbb8d6a12f5f5e32de
SHA18f3ef66bf86f1697c520303c78b11d58165d146f
SHA256c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1
SHA512b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
181B
MD5b21ae766b110e1629786f5da99de89a2
SHA14cb98cf651feff75456ef21ff8e783582ad50e17
SHA256c8e2d1be2bb7db63fdea39880d0f6f4c170540e270b7adeaaaf38994b93a6683
SHA5120ad80718132200b865696c208e545ac1b982378424ba9ecd754a5adf87f9e6a0ac3a7f19c516dbe883e7cbd82e0d6c8b0970fd6ad47e0e2a8647e4ef5f96857c
-
Filesize
6KB
MD5b3b0b9b61a1bb691c806f6bca93c73d8
SHA17b22b905ab4b7affa5aaa32956b580b88c5c0526
SHA25650676629ffbd6ebe20a06bbc18e939d6c0c785dfe192916a653dbac269cebfea
SHA512e2c591fabc3b12980f907cb01c3cfa237a8611d270ac30a0efc7ace3ad7c815c3940c3fc4cd8655c65ddabd02a5fdf38f4c2bf52047c81124b903943711fbf2f
-
Filesize
6KB
MD50fd7f7d233f1c953c9d16d12b52f5407
SHA1761a7f674138fb23b7ac60e1bb489654a49e8e54
SHA256380a981bd177b00f4c5badd1c59d70d15948e5a337c6191524c5cc37540a1ca6
SHA5120d686647cdf610b87619f6d86b9f6ddaf49c5204533987edf5ec84c04359e4d4b0886f8b472d000b0993d572ca063a19e6f26c8370556a453d8b0baf4f9d6d7b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d77adc90f879235928243a3cb7a14a3b
SHA1196b4b89bcb3a7cc8d89221c9e38bd20ea114ab6
SHA25607d732c7bba7df4c5775be3e9e7d9df860a9b50e8d73ee627e8b42126d0ade8a
SHA512ba5731068cc3f77b0e02cd50f620721f92c83f01eb782cf7129d48d448dc9c4f07085090b56bf1eaa4692303000c64b8bf3e5c387e3f51ef516d940703ac6d84
-
Filesize
11KB
MD512686e6e746662a9d6770912c65184d2
SHA144025094f6f34e26099c99ed9b95d8c54ea46bdf
SHA2565e65218ab2d5d6c8353dd5fa909d7ad1e35a092c06cecdd8d1946e041efb0193
SHA5123ab992672238da9f762ca249b7286a2806590a004436dd9dfec3968309b3f7d80d9df65b818badc60b37236c26a723a5f328e630e34215c98dd9d9ae36cdbd14
-
Filesize
84KB
MD57051dcbe9a0837a312b09a5ae3b42430
SHA13553ff8725a57929e438228bf141b695c13cecb4
SHA256ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644
SHA5122e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c
-
Filesize
483KB
MD5bdfa7710dfc213d8babcd7348440deeb
SHA1ecd7d6ad5a3e0cc8c24ce1f12a40b0c86a769f98
SHA25679ec51c588fccbe876f58de8a0256e27de65aa14f245615c42bd92cc640063fe
SHA512663eb74fba1e38d3f930c0d73787309f86b85852cbccae1b44d3056a6073a95494c1526dc98d132f84a71e379babc5bd6819e76643f82fcd5591e264825fb2ee
-
Filesize
140B
MD5ee20a3aaf13c2d8805ede471f1f3ed3c
SHA1bac14bc149af77885de0f6997fe3f3bf3f9686ad
SHA256b9afbd14a42e996a8de6eba45b8a6df17a958f1b269913eab89484f62d373919
SHA5128dea66d1bb1ee359b61fa32e3a45a1d66cf8987fdbec4218ef258b58aaaf9475e77bff2d40f9f28f4a75f321de6f86de6f42ab3cd7afee4e213ffbe3ae03f714
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
40KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
304KB
-
Filesize
2.2MB
-
Filesize
5.6MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.5MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
10.8MB