Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 12:02
Behavioral task
behavioral1
Sample
rem.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
rem.exe
Resource
win10v2004-20240419-en
General
-
Target
rem.exe
-
Size
483KB
-
MD5
06f5b8dffc6c138828adbc7f29cfc7f0
-
SHA1
b59ef5d613a1e49c7034c3ee05780ce054ca0054
-
SHA256
03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
-
SHA512
e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
-
SSDEEP
6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation rem.exe -
Executes dropped EXE 1 IoCs
Processes:
svcs.exepid process 1512 svcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svcs.exerem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svcs.exepid process 1512 svcs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rem.exedescription pid process target process PID 948 wrote to memory of 1512 948 rem.exe svcs.exe PID 948 wrote to memory of 1512 948 rem.exe svcs.exe PID 948 wrote to memory of 1512 948 rem.exe svcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rem.exe"C:\Users\Admin\AppData\Local\Temp\rem.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logsa\logs.datFilesize
144B
MD5cf0f789fd9a26c8ac90aecf322f93afc
SHA1f269443643895c1e7ad6b7e3821099411597dade
SHA256cfd29c94cda953cac8edf282889279212e56ffab2f74a597ea152072c6f413f4
SHA512835abd60a279bca62667401ad53caae517a38abc5588aa05e3a267cb3f17ccd7ac8aca882490a0f2606a169afff47f88f7bbd733902bdc3cb1f0507e18ac2589
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exeFilesize
483KB
MD506f5b8dffc6c138828adbc7f29cfc7f0
SHA1b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA25603ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893