Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 01:45
Behavioral task
behavioral1
Sample
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe
Resource
win10v2004-20240508-en
General
-
Target
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe
-
Size
469KB
-
MD5
bd8b7958eeae8d1adf54148d23079863
-
SHA1
5b48f72267da36089181f175b3ea111dc6274377
-
SHA256
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4
-
SHA512
e494a21740da130d0f79dabde3611f78f5e3874cce59aee8203b1218466e58ac1a9e9483324b58a2c6ea4a7f07ced11497103fe393f931bba47956b7b1ed62e8
-
SSDEEP
12288:Obmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSan9:uiLJbpI7I2WhQqZ7a9
Malware Config
Extracted
remcos
Nuevos
nuevosremcs.duckdns.org:9090
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
notepads.exe
-
copy_folder
data
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
notas
-
mouse_option
false
-
mutex
Rmc-LYXPNU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
system32
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00090000000233e2-6.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
notepads.exepid Process 548 notepads.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
notepads.exeaa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" notepads.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" notepads.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
notepads.exepid Process 548 notepads.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exeWScript.execmd.exedescription pid Process procid_target PID 2928 wrote to memory of 3380 2928 aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe 82 PID 2928 wrote to memory of 3380 2928 aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe 82 PID 2928 wrote to memory of 3380 2928 aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe 82 PID 3380 wrote to memory of 4344 3380 WScript.exe 85 PID 3380 wrote to memory of 4344 3380 WScript.exe 85 PID 3380 wrote to memory of 4344 3380 WScript.exe 85 PID 4344 wrote to memory of 548 4344 cmd.exe 87 PID 4344 wrote to memory of 548 4344 cmd.exe 87 PID 4344 wrote to memory of 548 4344 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe"C:\Users\Admin\AppData\Local\Temp\aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\data\notepads.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Roaming\data\notepads.exeC:\Users\Admin\AppData\Roaming\data\notepads.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5d711a26c8ea12d49864f3d90296c2d1a
SHA1319a84d52c136ac4de4171406242ced336b4da00
SHA2561adcdf1f56e99395d7c937404dab8478a6c042f7c7da3287faa37c44d786f7f0
SHA5121b0dc81ff55391fc51d5959cb7780a7f0332875a82b268f928f28353974b267d09c605ae05947fe1136cd9dd4a8482a42c79db09cfe1010815f5c9b864a74c39
-
Filesize
418B
MD51653e8468b0d0cd87a484261da3a898b
SHA1ab798bd56e8dfebf82b4feda4e1549778d19848b
SHA2561bf4eaa1b06f079565ca6ea81082736efd1e25d6465c353ad992ba8c38940c3f
SHA5125df77f64350879e22a6b9f018bdd8fcf90920cc9f4026ed9bf733b5e965214abd8c3643b211b2f814cd2a9e016f0c15762eaee133feef6ed5c37bdd66ff7be2f
-
Filesize
469KB
MD5bd8b7958eeae8d1adf54148d23079863
SHA15b48f72267da36089181f175b3ea111dc6274377
SHA256aa4f91582c090e99b67390b61edf78df4525c6f2125c38a2a0b1a925bbe7fab4
SHA512e494a21740da130d0f79dabde3611f78f5e3874cce59aee8203b1218466e58ac1a9e9483324b58a2c6ea4a7f07ced11497103fe393f931bba47956b7b1ed62e8