Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 01:31
Behavioral task
behavioral1
Sample
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
Resource
win7-20240221-en
General
-
Target
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
-
Size
100KB
-
MD5
a6a0219b8024a45895471d2373df0705
-
SHA1
e59e9f9290097c827263db55b8896c0401234d1f
-
SHA256
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
-
SHA512
c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
SSDEEP
3072:vhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+JP/P67ro:vhzOv2fM13jsIFSHNT7P/P63o
Malware Config
Extracted
remcos
1.7 Pro
Host
185.241.208.113:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
JavaUpdate.exe
-
copy_folder
JavaUpdater
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Java
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_fcstxhoeka
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/2660-17-0x0000000000400000-0x0000000000419000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
JavaUpdate.exepid process 2928 JavaUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeJavaUpdate.exepid process 1808 cmd.exe 2928 JavaUpdate.exe 2928 JavaUpdate.exe 2928 JavaUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ JavaUpdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JavaUpdate.exedescription pid process target process PID 2928 set thread context of 2660 2928 JavaUpdate.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
JavaUpdate.exedescription pid process Token: SeRestorePrivilege 2928 JavaUpdate.exe Token: SeBackupPrivilege 2928 JavaUpdate.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.execmd.execmd.exeJavaUpdate.execmd.exedescription pid process target process PID 2056 wrote to memory of 1800 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1800 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1800 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1800 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 1800 wrote to memory of 1792 1800 cmd.exe reg.exe PID 1800 wrote to memory of 1792 1800 cmd.exe reg.exe PID 1800 wrote to memory of 1792 1800 cmd.exe reg.exe PID 1800 wrote to memory of 1792 1800 cmd.exe reg.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2056 wrote to memory of 1808 2056 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 1808 wrote to memory of 2132 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2132 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2132 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2132 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 1808 wrote to memory of 2928 1808 cmd.exe JavaUpdate.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2644 2928 JavaUpdate.exe cmd.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2928 wrote to memory of 2660 2928 JavaUpdate.exe iexplore.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2580 2644 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
218B
MD52ec57f4b54ce5465d19b056bf856fbd0
SHA1589fcd5278b3875888764f2b718da6b5ed899d4c
SHA2562ebe9e31b91bf05aee177a0c8927016b78004445fd581f45e916ffd2adf26753
SHA5124242c08c6bb461f83c4d0e6cee120efc293e319ab720879ae269c776ed43452506838af76bbb174f24a643b26770729fb68f42ea231c14383537694435ec123d
-
\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exeFilesize
100KB
MD5a6a0219b8024a45895471d2373df0705
SHA1e59e9f9290097c827263db55b8896c0401234d1f
SHA2568bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
SHA512c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
memory/2660-17-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB