Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
20-03-2024 13:42
General
-
Target
explorer.exe
-
Size
36KB
-
MD5
722f70f7c2d8ce48d62723390d7a1898
-
SHA1
a57fd2bee605c399cf92f21b051479049c4868fb
-
SHA256
a6f04a175ecb36c0813e7a8d7504709bc3fd633e05622f2f7bab422d096b2077
-
SHA512
9fa61013ee3f5ae00c96c6d89026fb84122fd0eb4b349582b8d8b911fbd894d4ab44d3221ec26f327eb33dcdb839e443971ef7ec677819c4d879d6d2a48c45d6
-
SSDEEP
768:55PHyCjmhFdWfLubuZ1kvIaEekM26Jr1:55PHfjGPAKbLVPJr
Malware Config
Extracted
remcos
1.7 Pro
Host
10.0.2.15:2402
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
U32c.exe
-
copy_folder
MicrosoftCryptographie
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
remcos_idwxrxyimd
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Windows Defender
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
explorer.exeU32c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ U32c.exe -
Executes dropped EXE 1 IoCs
Processes:
U32c.exepid process 2056 U32c.exe -
Processes:
resource yara_rule behavioral1/memory/4932-0-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/4932-6-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Users\Admin\MicrosoftCryptographie\U32c.exe upx behavioral1/memory/4548-11-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/2056-12-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
U32c.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "\"C:\\Users\\Admin\\MicrosoftCryptographie\\U32c.exe\"" U32c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "\"C:\\Users\\Admin\\MicrosoftCryptographie\\U32c.exe\"" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
U32c.exedescription pid process target process PID 2056 set thread context of 4548 2056 U32c.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
explorer.execmd.exeU32c.exedescription pid process target process PID 4932 wrote to memory of 3208 4932 explorer.exe cmd.exe PID 4932 wrote to memory of 3208 4932 explorer.exe cmd.exe PID 4932 wrote to memory of 3208 4932 explorer.exe cmd.exe PID 3208 wrote to memory of 224 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 224 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 224 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 2056 3208 cmd.exe U32c.exe PID 3208 wrote to memory of 2056 3208 cmd.exe U32c.exe PID 3208 wrote to memory of 2056 3208 cmd.exe U32c.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe PID 2056 wrote to memory of 4548 2056 U32c.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\MicrosoftCryptographie\U32c.exe"C:\Users\Admin\MicrosoftCryptographie\U32c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
151B
MD5e3f663d9772f7a77ab0f383dfac6ce5f
SHA1cddb0ceb970c3813e4517a5eaaf1317644bb9621
SHA256e684e4aa8c83d2e283ee5af8348a1f447dc6a353f9e8c1178d5d2f7b455ed572
SHA512422c723dd0d6660252e3f7274f124d463078198b31ef4729861bbde00455badde55289f6408c5ea1ca2a01625e5f1fd2d457d5ad45460d6a1748408cccaf1365
-
C:\Users\Admin\MicrosoftCryptographie\U32c.exeFilesize
36KB
MD5722f70f7c2d8ce48d62723390d7a1898
SHA1a57fd2bee605c399cf92f21b051479049c4868fb
SHA256a6f04a175ecb36c0813e7a8d7504709bc3fd633e05622f2f7bab422d096b2077
SHA5129fa61013ee3f5ae00c96c6d89026fb84122fd0eb4b349582b8d8b911fbd894d4ab44d3221ec26f327eb33dcdb839e443971ef7ec677819c4d879d6d2a48c45d6
-
memory/2056-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4548-11-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4932-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4932-6-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB