Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe
Resource
win7-20240508-en
General
-
Target
a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe
-
Size
1.1MB
-
MD5
6396cf12253c6f9a3ce1607be6df95ca
-
SHA1
a9525c26f5010f1c149403ab83944a575bfb45b5
-
SHA256
a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d
-
SHA512
8c3126ce810f49307dd09b0062c56844a98b7b900fbdf2f7b6f74db9b6a5647f3d3330c3fb7b1664272f485f5d2a2818060b299b0958d9c62ecf0912f9c7276d
-
SSDEEP
24576:XJDCuMUyddMSoLPAWO0+7y9ZlhuQ19EW9du+NnwEDjTSI44+s4:VCey/oLPa0HAQ1b9du+Nn2I6s4
Malware Config
Extracted
remcos
AJANKO
ajanko.duckdns.org:1970
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Z9ICSO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1648 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe -
Executes dropped EXE 1 IoCs
pid Process 4792 svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4792 set thread context of 1184 4792 svchost.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 636 1184 WerFault.exe 101 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2408 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3560 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 1648 powershell.exe 1648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe Token: SeDebugPrivilege 4792 svchost.exe Token: SeDebugPrivilege 1648 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3096 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 88 PID 4048 wrote to memory of 3096 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 88 PID 4048 wrote to memory of 1632 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 90 PID 4048 wrote to memory of 1632 4048 a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe 90 PID 3096 wrote to memory of 2408 3096 cmd.exe 92 PID 3096 wrote to memory of 2408 3096 cmd.exe 92 PID 1632 wrote to memory of 3560 1632 cmd.exe 93 PID 1632 wrote to memory of 3560 1632 cmd.exe 93 PID 1632 wrote to memory of 4792 1632 cmd.exe 94 PID 1632 wrote to memory of 4792 1632 cmd.exe 94 PID 4792 wrote to memory of 1648 4792 svchost.exe 100 PID 4792 wrote to memory of 1648 4792 svchost.exe 100 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 PID 4792 wrote to memory of 1184 4792 svchost.exe 101 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe"C:\Users\Admin\AppData\Local\Temp\a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45B4.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3560
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵PID:1184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 245⤵
- Program crash
PID:636
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1184 -ip 11841⤵PID:4060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5db3a46a9b69dd2336a2bb763b4a8a7ea
SHA17b6f18fd9614e819f7eeb4ff48eda983cb6423f8
SHA256e2a83c68235946fe4ad2deca8242b9d8fd615263a3ba1d6df0addbb6fd0f4d2e
SHA51289816b7ad676af6da9242c2c17c85b691037271afc41078cbe2e9458350f2a3b990cc0400ff01255e75857783044f1af242490f7cd5471c0dc52aa29c136e022
-
Filesize
1.1MB
MD56396cf12253c6f9a3ce1607be6df95ca
SHA1a9525c26f5010f1c149403ab83944a575bfb45b5
SHA256a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d
SHA5128c3126ce810f49307dd09b0062c56844a98b7b900fbdf2f7b6f74db9b6a5647f3d3330c3fb7b1664272f485f5d2a2818060b299b0958d9c62ecf0912f9c7276d