Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 07:57
Behavioral task
behavioral1
Sample
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
Resource
win7-20240221-en
General
-
Target
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
-
Size
100KB
-
MD5
a6a0219b8024a45895471d2373df0705
-
SHA1
e59e9f9290097c827263db55b8896c0401234d1f
-
SHA256
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
-
SHA512
c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
SSDEEP
3072:vhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+JP/P67ro:vhzOv2fM13jsIFSHNT7P/P63o
Malware Config
Extracted
remcos
1.7 Pro
Host
185.241.208.113:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
JavaUpdate.exe
-
copy_folder
JavaUpdater
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Java
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_fcstxhoeka
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
JavaUpdate.exe8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2664 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
JavaUpdate.exepid process 2528 JavaUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeJavaUpdate.exepid process 2664 cmd.exe 2528 JavaUpdate.exe 2528 JavaUpdate.exe 2528 JavaUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ JavaUpdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JavaUpdate.exedescription pid process target process PID 2528 set thread context of 2436 2528 JavaUpdate.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2436 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
JavaUpdate.exedescription pid process Token: SeRestorePrivilege 2528 JavaUpdate.exe Token: SeBackupPrivilege 2528 JavaUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2436 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.execmd.execmd.exeJavaUpdate.exeiexplore.execmd.execmd.exedescription pid process target process PID 3008 wrote to memory of 2752 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2752 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2752 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2752 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2752 wrote to memory of 2960 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2960 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2960 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2960 2752 cmd.exe reg.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3008 wrote to memory of 2664 3008 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2664 wrote to memory of 2564 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2564 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2564 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2564 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2664 wrote to memory of 2528 2664 cmd.exe JavaUpdate.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2736 2528 JavaUpdate.exe cmd.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2528 wrote to memory of 2436 2528 JavaUpdate.exe iexplore.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2436 wrote to memory of 2584 2436 iexplore.exe cmd.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2412 2736 cmd.exe reg.exe PID 2584 wrote to memory of 2424 2584 cmd.exe reg.exe PID 2584 wrote to memory of 2424 2584 cmd.exe reg.exe PID 2584 wrote to memory of 2424 2584 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
218B
MD52ec57f4b54ce5465d19b056bf856fbd0
SHA1589fcd5278b3875888764f2b718da6b5ed899d4c
SHA2562ebe9e31b91bf05aee177a0c8927016b78004445fd581f45e916ffd2adf26753
SHA5124242c08c6bb461f83c4d0e6cee120efc293e319ab720879ae269c776ed43452506838af76bbb174f24a643b26770729fb68f42ea231c14383537694435ec123d
-
\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exeFilesize
100KB
MD5a6a0219b8024a45895471d2373df0705
SHA1e59e9f9290097c827263db55b8896c0401234d1f
SHA2568bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
SHA512c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
memory/2436-17-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB