Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 01:09
Behavioral task
behavioral1
Sample
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe
Resource
win10v2004-20240426-en
General
-
Target
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe
-
Size
469KB
-
MD5
27bb3968cc18fb0df5b14e6d1b805552
-
SHA1
8f44161a7c4e45422a5d179fbd1d1a81657d828c
-
SHA256
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd
-
SHA512
c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSFn9:uiLJbpI7I2WhQqZ7F9
Malware Config
Extracted
remcos
Nuevos
nuevosremcs.duckdns.org:9090
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
notepads.exe
-
copy_folder
data
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
notas
-
mouse_option
false
-
mutex
Rmc-WRNU47
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
system32
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0036000000015c6d-5.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Executes dropped EXE 1 IoCs
Processes:
notepads.exepid Process 2552 notepads.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 2672 cmd.exe 2672 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exenotepads.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" notepads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" notepads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
notepads.exepid Process 2552 notepads.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exeWScript.execmd.exedescription pid Process procid_target PID 2172 wrote to memory of 2492 2172 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe 28 PID 2172 wrote to memory of 2492 2172 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe 28 PID 2172 wrote to memory of 2492 2172 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe 28 PID 2172 wrote to memory of 2492 2172 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe 28 PID 2492 wrote to memory of 2672 2492 WScript.exe 29 PID 2492 wrote to memory of 2672 2492 WScript.exe 29 PID 2492 wrote to memory of 2672 2492 WScript.exe 29 PID 2492 wrote to memory of 2672 2492 WScript.exe 29 PID 2672 wrote to memory of 2552 2672 cmd.exe 31 PID 2672 wrote to memory of 2552 2672 cmd.exe 31 PID 2672 wrote to memory of 2552 2672 cmd.exe 31 PID 2672 wrote to memory of 2552 2672 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\data\notepads.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\data\notepads.exeC:\Users\Admin\AppData\Roaming\data\notepads.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD581f6e26b375b8077152da55569eb0606
SHA1799a2db4ebc27c3b700e3f5557a183ff3f86fd4b
SHA25620d546c390b089c10492d2d0f897d2c7f4524df811befb00fda5ab6baf8849f5
SHA51222737f7d86969089686f3533129dad927bd2169bc68c02d8f351b25658bdf7f793fa7fe0390fad5e77e532d577f3f4c006fe0445c855d1b4c71b2252e515c9ab
-
Filesize
418B
MD51653e8468b0d0cd87a484261da3a898b
SHA1ab798bd56e8dfebf82b4feda4e1549778d19848b
SHA2561bf4eaa1b06f079565ca6ea81082736efd1e25d6465c353ad992ba8c38940c3f
SHA5125df77f64350879e22a6b9f018bdd8fcf90920cc9f4026ed9bf733b5e965214abd8c3643b211b2f814cd2a9e016f0c15762eaee133feef6ed5c37bdd66ff7be2f
-
Filesize
469KB
MD527bb3968cc18fb0df5b14e6d1b805552
SHA18f44161a7c4e45422a5d179fbd1d1a81657d828c
SHA256215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd
SHA512c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d