Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
09-05-2024 12:11
General
-
Target
Teklif-Formu.jar
-
Size
64KB
-
MD5
8f32b6ad5a4b0bf593c5e8cfe8afd04b
-
SHA1
02623723f9a9af013df424336d45ada46abe9472
-
SHA256
0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb
-
SHA512
185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c
-
SSDEEP
1536:sFVl2U0Gg0HxEjXu28Gut9+gnzqYgMYw0Sr8awyvI0cNFl:sFv2U0GXUu28P7HZY84awyv3cNFl
Malware Config
Extracted
remcos
May Day
zekeriyasolek45.duckdns.org:3321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows Data Start.exe
-
copy_folder
Windows Data Start-Up
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Window Display
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
Windows Audio-EIQQ40
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
-
UAC bypass 3 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Teklif-Formu.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"3⤵
- Creates scheduled task(s)
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scrC:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr"C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
-
-
C:\Windows\Windows Data Start-Up\Windows Data Start.exe"C:\Windows\Windows Data Start-Up\Windows Data Start.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Windows Data Start-Up\Windows Data Start.exe"C:\Windows\Windows Data Start-Up\Windows Data Start.exe"7⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- UAC bypass
- Modifies registry key
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"8⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.09⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD58f32b6ad5a4b0bf593c5e8cfe8afd04b
SHA102623723f9a9af013df424336d45ada46abe9472
SHA2560fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb
SHA512185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
252B
MD5c505450f67a94e6bcca85ce1b470a5da
SHA1c8f8b42ff3f2490002bf8fc6301a8ff07a7f3756
SHA2569026073b400786e558448a3aa601579919542e9c3ff1553a81c88668e009da17
SHA51295556f238c82cc73528020fe73c79ee92e305166987b8c3ce38ec29f6f35f6788b5b471cf618fe4ddabb74f15a796776e69fa176f970b678753b25573ed153ba
-
Filesize
344B
MD59b6e84614bd32272ae175f747506a01c
SHA1c9e45ba653a2592614778f07cd432473823d1932
SHA25637377ffb64d39ab1daf6c65b7d5476c0690d860189f5363f6cd4943984c9c8e0
SHA512eb50689e182e0c6e1ca94f29875e78da1e342731f9ccedc5a4b2ab6476bb13c15826a80655268633808e41d455205bd1a27881db2c2cdc3415b432fddf8b8d3c
-
Filesize
344B
MD5e93d763dd8cf91101654679f0b86510a
SHA135f9dbc4965ff1faeb4c56094076acb0fc7f2cfb
SHA25634eb7004883f6afa2069945eae3506bbaaa9df5739334a42ee5f08f9c994c43e
SHA51295c940ca84a765a5eecc236298b96f1a6d5198d640e59bc55212bfe2dcf120ab964d6367de3397776d748c61c27967025237a1e1822a1a1cfe52c2c4a25263ab
-
Filesize
344B
MD5981bf439a4aba921ec6307174f409842
SHA1874d485533d133c9f4242dfb72bc8ce4a5ebb1ab
SHA2562a0eee31242a2ebb7b2b66ca475579abfd366a98ab242fd1a5b72cd49bc201c7
SHA51289fc5c753085a1ab7c41f3eff21e3a61a5d2774f950b14bcd712719e5c312a3db79e21cac7d35939baf9f5d5186cdb0eefde3f5c671600dd5fbcf4b478d505a2
-
Filesize
344B
MD5751e535d58e39194e3daff4148096da9
SHA1e14d70d835632aca39cdfa186b67877e27e711c6
SHA256ca1f8e67e5ad546dcdf0bb375a0d10767e27d4e5f99fede7c7232a1669349e24
SHA5122aeca333f300722791a54d0570256bec1e04bf9005f4ebdfeb72825df0a7aa80cf16b92846bb6c3a0516f564dbcbb22a1802ce2a28cc38786646304d1a679993
-
Filesize
344B
MD5dd68c90064f5e007c27222cc0d3050df
SHA1e673e526e7cef7309eb1f92ee01936ba65f27779
SHA2561f37f9a7e8769ee958070b3cac877344f38426be7800f1f7bb3183d0ce437a9f
SHA512cf33334e1dba8bf94556ed40eed3654962fe9309ce0a34ce3c3c53bdf7c95948a9816d4d9528063e5fe4d138ce7af69376d1beecd958958e1c7194b9a30057de
-
Filesize
344B
MD50315657cbba71c8ffd95f4748033123b
SHA1e7d62ee70ce33c508d96843719226c77234f74c7
SHA2561f08016923d5d49ef8b4ddb71e533ab721619d5a831112223f87da2fbe12b940
SHA51251be241b78cddc5469463652b64347e80f1ce02d5da32eb6c5db6e852d0a8a2dced1b11087655b0c6857363c4626f4bf42df9c6a309710a6a4cfd210a9982f6a
-
Filesize
344B
MD57c486e2a101d19f86871b45a82d612d7
SHA124d078728dee1df6dd9ac3784618ef67b98736d4
SHA256c44f31a7ec4578b68a020f62e25b42bcd422269ee4ca6513a93a3dd81032cba8
SHA512ca4d893261d9da55d5f346f6a88ebb0f65b70d3b319166f77bd2f55f0629734ea7bedd5e698fb82cf1b0f64c584fd608f6f1fc63471d960a55a7e04125603c26
-
Filesize
344B
MD585232367733cba37f0eb79bbe5a32868
SHA1fb00519d8486708c87f85dba48f85fac5bd7dd62
SHA256ae6d9ada4dccf58dcd9a1bedfd4340043448d9f85e3884f9c2a80d6faf249418
SHA51249d414c5f6077af06903e8da9b590ae4f05462f903d4e9825ec8781309449b7022ea07dee4bd270c79e65b67ddaa5f87d59e6e14b3f475b5069917d32b16cfdb
-
Filesize
344B
MD5d720a5cc282aeb3ecd8cccb60aaa7a45
SHA179c91206129d88967f063dfe43b3afc36193f25c
SHA256bdc8f44fbc7c2f5889c502047582f39409af7bd52ee47b2f9f7ca75fe2709a75
SHA512bf57f964f96c54fecfdc8658e9afad8756296b5480002c2621b34391c6a6988e7b41c15ea33c59b5315908166fe3e0a92fd1a219c76b9821b9a6b4666b325bb4
-
Filesize
344B
MD54308ced96310cb154662b436f23701a7
SHA16cccb3fe8ba95e58dfcc2d41e8a2de87c34c7065
SHA256801ecf7a90ceb60ae5860759a8178ddbb3c89b0a5be014e2fdee4d81a1ea6137
SHA512bbfc44237f93294ac52a418fa2134b83174e0ce9aa1d0d1d125084fb376fd97f7eccc486220b3c2aa1fa83bf23c9fd0df015b1ca7f59391ac750bd2f118fe3e3
-
Filesize
344B
MD5e506cab96cf70761f6b414919fb88927
SHA126eb530243132bcb615d43bbf8f30b9087535740
SHA256a4e29f07f31ff7be242c372ce0954ce38d168dc7c4d30b7889076687256839ed
SHA51268cdb7d9303991c8a2681fcfbf1d5b31edcca2923219a20b2e73352b17b7d6dc6491d3e6859177da7207d52de812521ec3933200a8c2372e16b77a8bd749783f
-
Filesize
344B
MD5fa3154c0f1c702b4383cda1fec924717
SHA1c4aa6198d49575df70f91be219b6cc89654383a8
SHA2560606233ff0fa46e511fcf0b4612c3186cebd8fe2fdc794b7e2313a4357761cd7
SHA51233961d2d4cb14e2b3513073ebc2665cd45946b62a8d2ded048bf66b916c1808ef540f6da80ffa7c7a00327e9d01b01684336b804137516063844333ca62610d9
-
Filesize
344B
MD558220506e463eeae4fbfca6c014d7deb
SHA1c49c339acad86c8d4b7c2c771e32f4983400a872
SHA256bc7b88a9b6f8b1f4c46771a76f2d5ad4e6817916ef435f8c3a0249bb43fbb614
SHA512886ba6584352d548faed50e0530b4f7a1f8543f47a0358af2a18eecc048424ebbae5072fbd868ef3b521f5062bd65dadc1b155b15faec86c959488b8d7488e0c
-
Filesize
344B
MD5c6b390f081ceeff3421b94386c4c7738
SHA197b325a946d069190ba38d3f6cdb28df0ee9a664
SHA2560801d08fc5699d41aab6264ee5169b80ac572e56675d3c10658a63f4aaefc1ee
SHA5121843a012d3f537883c182cc319b05ccdb59a983f46ff02f5abb1b604749f6a93ab1c97d9d856255ab1825139bac53c6670d8acc8a6cd015fce52c856fd288cdd
-
Filesize
344B
MD52b4fb4987a1f37199843e40364e7cff3
SHA1cfb3a50b38be1aa83f3112aadc8289d744b64535
SHA2565c7efcd1533ea78bf9ee6edd6b1b3b07c26eec764cbc6cf3bd5011a65fdbe3e2
SHA512cff6c0854637499e9dd471e10491bd571252847caa077493c35fe28a7dbdaf5c90fe897a1ec545f2a2e9993b60deed89e945d96fa1b21e8d0b7ae71f6e6342c2
-
Filesize
344B
MD5bfa2c107c77c21b29fec7a5450f6d34b
SHA1a02749b29136b0dbeced61967f963883b5e47252
SHA256a60d66f29d44bfb25ba3af309eb7873b22848d03521b3e8ecb60551db3f61a4d
SHA512404d2ffd4b6b4ba5c7bc8bf4c8c23ac76f08b2294cbeaf14fda0cf0f1d526a01a05a788c982acce84727c49177be8e4d720bf30e8198bb3a9443b465e9db35c3
-
Filesize
344B
MD51a0455e1e1f509bcb1a4a13355e4b049
SHA1d7b813c577fbc78d1cef755e61828ccc0985b61f
SHA25667856b39e73b189c3a7f9018ebc584090edb935f54b2c9b9393a4cf698fc74a4
SHA512604309fb455f2911725bfe7340de9f7ad46a2bc20a34b77e00d4f3e4f29f2f61dee35e2af972b89334298bb9f86f0903952a590da9b4886954a38a9e1b59e39a
-
Filesize
344B
MD5f011e913606326885484f0982ddbd9e8
SHA16bd6007d614f4d3225f6f69cdc679e20c568929c
SHA25677696b5a35205b2c859932bef1e7f4e620bf1a7388997fba882d07f57e97ae56
SHA51260f998fd3393aa05b89ed0c71f76f6a272f75d0a3ce2421012a9027f79bd45384eb7b8f34044a8f04a99d5205d71bc2968f2baea1e18e3c7b8d1de689df89991
-
Filesize
344B
MD5a07c1a028c2d573eec676df66e4ce2c4
SHA1dfc32fb8a7ac998aa7d3684d4b16e763eb43ae0c
SHA256bc3caf52d94fcadee468fc36566f9c5bd8191d92008530d91c50845c4be835a7
SHA512066cb060a941270d55253ff85d006e2697786ac20f3c5ce6e86b1655a3ae9ce7da257e5b888f55b1a2372c909427c7ddc78e239ae4bbc1f080dae9c575d01b20
-
Filesize
344B
MD59f5be9a8183fb1381481806b6f256ee1
SHA1f425619fd5bd1fd929e9218fb71021a5ecbdae6d
SHA2565aa2cd702297e1cdbf45ee3423c77503772390bde2347ca58f97f03a74ff1146
SHA512f97cec94db88a3ebe104c71e2ee5bc25a3f06f79664130134db6b412f4ef7e836163d5f8aa8a915e954c587bd30a08fc6250f714744fff04fb1871e388ea6b08
-
Filesize
344B
MD52cf60b1222fc6bca6be7c78a458def17
SHA1a0e0cad036b6fe17f0bd43f596161713073899c3
SHA256958d6919287438ff24cef586c47b9bfbb5e2cfba843b8dd085372b6e86306298
SHA512dfa9f925ba686c105ab46efbb7464fd19f4c480b786a20b1a1e8befdc6aba8d47e851209e71ae377c172aaac4bc08a39a309bb373665ec26dc7642f8faf6985f
-
Filesize
344B
MD5526d793e2d463bf1034278338260c50b
SHA155344fae23775ee1940a182f032df70d06ca64ca
SHA256b10e74d8d8b7cb884080f776cac28bd04cf02f3a3dd4c0c176f13cb9f7cc5bda
SHA512f8fabad3f25c1712216dd42429e7135bafed91c95a627470daf1397c8dc812dbaf1477aebbf393b86ec33e39ecd90b9651543bda6e4c9b8669ce8082757dc93e
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
1.3MB
MD520c84604de0080942e1d3b1d4d2afe12
SHA16f1777d49fdead6ef00b40826c95d5645748fb1b
SHA25690f99f8659dd04260d1b30b7d139e832ba8e2f2bbbb393f07f7ebcbaef8093c8
SHA512162ece022f63214e099c540c181c8230d26cbf062ddf768b3db654f1bed3821d8127664d365b2a9ac2d43edde700d21d7144a58e8916df09740b763d0d773acd
-
Filesize
1.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
1.4MB
-
Filesize
696KB
-
Filesize
32KB