Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 12:39
Behavioral task
behavioral1
Sample
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
Resource
win7-20240221-en
General
-
Target
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe
-
Size
100KB
-
MD5
a6a0219b8024a45895471d2373df0705
-
SHA1
e59e9f9290097c827263db55b8896c0401234d1f
-
SHA256
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
-
SHA512
c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
SSDEEP
3072:vhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+JP/P67ro:vhzOv2fM13jsIFSHNT7P/P63o
Malware Config
Extracted
remcos
1.7 Pro
Host
185.241.208.113:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
JavaUpdate.exe
-
copy_folder
JavaUpdater
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Java
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_fcstxhoeka
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe -
Executes dropped EXE 1 IoCs
Processes:
JavaUpdate.exepid process 1000 JavaUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exeJavaUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ JavaUpdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JavaUpdate.exedescription pid process target process PID 1000 set thread context of 3440 1000 JavaUpdate.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3440 iexplore.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.execmd.execmd.exeJavaUpdate.exeiexplore.execmd.execmd.exedescription pid process target process PID 4576 wrote to memory of 3536 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 4576 wrote to memory of 3536 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 4576 wrote to memory of 3536 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 3536 wrote to memory of 2740 3536 cmd.exe reg.exe PID 3536 wrote to memory of 2740 3536 cmd.exe reg.exe PID 3536 wrote to memory of 2740 3536 cmd.exe reg.exe PID 4576 wrote to memory of 2924 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 4576 wrote to memory of 2924 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 4576 wrote to memory of 2924 4576 8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe cmd.exe PID 2924 wrote to memory of 1664 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 1664 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 1664 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 1000 2924 cmd.exe JavaUpdate.exe PID 2924 wrote to memory of 1000 2924 cmd.exe JavaUpdate.exe PID 2924 wrote to memory of 1000 2924 cmd.exe JavaUpdate.exe PID 1000 wrote to memory of 4124 1000 JavaUpdate.exe cmd.exe PID 1000 wrote to memory of 4124 1000 JavaUpdate.exe cmd.exe PID 1000 wrote to memory of 4124 1000 JavaUpdate.exe cmd.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 1000 wrote to memory of 3440 1000 JavaUpdate.exe iexplore.exe PID 3440 wrote to memory of 4552 3440 iexplore.exe cmd.exe PID 3440 wrote to memory of 4552 3440 iexplore.exe cmd.exe PID 3440 wrote to memory of 4552 3440 iexplore.exe cmd.exe PID 4124 wrote to memory of 2152 4124 cmd.exe reg.exe PID 4124 wrote to memory of 2152 4124 cmd.exe reg.exe PID 4124 wrote to memory of 2152 4124 cmd.exe reg.exe PID 4552 wrote to memory of 3276 4552 cmd.exe reg.exe PID 4552 wrote to memory of 3276 4552 cmd.exe reg.exe PID 4552 wrote to memory of 3276 4552 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"C:\Users\Admin\AppData\Local\Temp\8bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
218B
MD52ec57f4b54ce5465d19b056bf856fbd0
SHA1589fcd5278b3875888764f2b718da6b5ed899d4c
SHA2562ebe9e31b91bf05aee177a0c8927016b78004445fd581f45e916ffd2adf26753
SHA5124242c08c6bb461f83c4d0e6cee120efc293e319ab720879ae269c776ed43452506838af76bbb174f24a643b26770729fb68f42ea231c14383537694435ec123d
-
C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exeFilesize
100KB
MD5a6a0219b8024a45895471d2373df0705
SHA1e59e9f9290097c827263db55b8896c0401234d1f
SHA2568bebd7cc515650c4af50bf56987bbc5959b742647333be47b810f2c7442eac71
SHA512c1bd154651600eec5b9bb4bdd70b99fa3a6850139d7581ece14998b3a4c2228f8c20db294d2d2366fc18935ae2cf8adbcb561f4f280cf4d841cbd30b5c0b894c
-
memory/3440-9-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB