Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
Resource
win10v2004-20240226-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
-
Size
1.0MB
-
MD5
18fba1571b2ef85ee29d7629b0360f8b
-
SHA1
160a5e70d376d45de6f8ca69cf00bdfe0530ce72
-
SHA256
20f140b6b03ab5318a5c9ce920528c982184ea1fa5e4e51dd3925eedf36ea924
-
SHA512
0ff5e16ddc13cdcfe5624f3eb7d2535ef40a825f1dfc758cf3d41c390c6ce73c06d501be5c4ed16927dc2f8a6d6287ba06c5d8c43e51595f461a2552b1dd2d2b
-
SSDEEP
24576:1VsubUUqO599RV00dK3mtjs/c9+NHU8koM/EmRHGzY:LsubUUqOz9f0Fmtwv/O/BGzY
Malware Config
Extracted
remcos
ELKA
republic-fountain.gl.at.ply.gg:17113
everyone-clinic.gl.at.ply.gg:17632
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
0
-
copy_file
adobe.exe
-
copy_folder
system
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
files
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
RM-RMasj21984u31e3u2jdas9d21-OU6GOC
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
60
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4468 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4468 set thread context of 2056 4468 svchost.exe ilasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1772 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exesvchost.exepid process 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe 4468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exesvchost.exedescription pid process Token: SeDebugPrivilege 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe Token: SeDebugPrivilege 4468 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.30087.11508.execmd.execmd.exesvchost.exedescription pid process target process PID 1968 wrote to memory of 3928 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe cmd.exe PID 1968 wrote to memory of 3928 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe cmd.exe PID 1968 wrote to memory of 3448 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe cmd.exe PID 1968 wrote to memory of 3448 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe cmd.exe PID 3448 wrote to memory of 1772 3448 cmd.exe timeout.exe PID 3448 wrote to memory of 1772 3448 cmd.exe timeout.exe PID 3928 wrote to memory of 3096 3928 cmd.exe schtasks.exe PID 3928 wrote to memory of 3096 3928 cmd.exe schtasks.exe PID 3448 wrote to memory of 4468 3448 cmd.exe svchost.exe PID 3448 wrote to memory of 4468 3448 cmd.exe svchost.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2312 4468 svchost.exe notepad.exe PID 4468 wrote to memory of 2044 4468 svchost.exe vbc.exe PID 4468 wrote to memory of 2044 4468 svchost.exe vbc.exe PID 4468 wrote to memory of 2044 4468 svchost.exe vbc.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 3208 4468 svchost.exe cmd.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe PID 4468 wrote to memory of 2056 4468 svchost.exe ilasm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp.batFilesize
151B
MD57706c02db0e1314fc101dace8adec5ef
SHA19e2147c3cb6b06e4ccff98d90a2a9a5c88502d69
SHA25696003890ed516c940f968999ee8355306daef0534dba076d6a03de70723dfd50
SHA512e8f8c49e9d024d5a0a6e3ffad4ed8a184551c3d566e333a124eeaa4f1a5c92cf9a2b3e14d84291f279544ca18ad701301d664d9cbbdbc9ee6dcb1a9e86e4525a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
1.0MB
MD518fba1571b2ef85ee29d7629b0360f8b
SHA1160a5e70d376d45de6f8ca69cf00bdfe0530ce72
SHA25620f140b6b03ab5318a5c9ce920528c982184ea1fa5e4e51dd3925eedf36ea924
SHA5120ff5e16ddc13cdcfe5624f3eb7d2535ef40a825f1dfc758cf3d41c390c6ce73c06d501be5c4ed16927dc2f8a6d6287ba06c5d8c43e51595f461a2552b1dd2d2b
-
memory/1968-0-0x0000017CB8D30000-0x0000017CB8D62000-memory.dmpFilesize
200KB
-
memory/1968-1-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmpFilesize
10.8MB
-
memory/1968-2-0x0000017CD3220000-0x0000017CD3230000-memory.dmpFilesize
64KB
-
memory/1968-3-0x0000017CD30D0000-0x0000017CD31A4000-memory.dmpFilesize
848KB
-
memory/1968-8-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmpFilesize
10.8MB
-
memory/2056-16-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-23-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-15-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-31-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-17-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-18-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-19-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-29-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-27-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-22-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-14-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-24-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2056-25-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4468-21-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmpFilesize
10.8MB
-
memory/4468-20-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmpFilesize
10.8MB
-
memory/4468-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmpFilesize
10.8MB