Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 07:42
Behavioral task
behavioral1
Sample
rem.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
rem.exe
Resource
win10v2004-20240508-en
General
-
Target
rem.exe
-
Size
483KB
-
MD5
06f5b8dffc6c138828adbc7f29cfc7f0
-
SHA1
b59ef5d613a1e49c7034c3ee05780ce054ca0054
-
SHA256
03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
-
SHA512
e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
-
SSDEEP
6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
Malware Config
Extracted
remcos
Remote
leetboy.dynuddns.net:1998
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
svcs.exe
-
copy_folder
microsofts
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logsa
-
mouse_option
false
-
mutex
Rmc-3XK1S0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svcs.exepid process 3068 svcs.exe -
Loads dropped DLL 2 IoCs
Processes:
rem.exepid process 2108 rem.exe 2108 rem.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svcs.exerem.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svcs.exepid process 3068 svcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rem.exedescription pid process target process PID 2108 wrote to memory of 3068 2108 rem.exe svcs.exe PID 2108 wrote to memory of 3068 2108 rem.exe svcs.exe PID 2108 wrote to memory of 3068 2108 rem.exe svcs.exe PID 2108 wrote to memory of 3068 2108 rem.exe svcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rem.exe"C:\Users\Admin\AppData\Local\Temp\rem.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logsa\logs.datFilesize
144B
MD5ca4dc90d1714ab31e59b47190e5c13a2
SHA110d78330935e2185d1d3d0dde3a2e8b35f1a1b66
SHA25614da46408cc4bdd64af2f5bb9ad74e331bcadba5ce329f3b58326e0074af5f5c
SHA5121f78ed13aa22b4e00eaee3ac91693667bff0028d77d9fc6fb6c9dcad5960b0c53062df35f5d25b106504bf4f8cda07c7d4530c788b414f5f4691b6ecc1234bde
-
\Users\Admin\AppData\Roaming\microsofts\svcs.exeFilesize
483KB
MD506f5b8dffc6c138828adbc7f29cfc7f0
SHA1b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA25603ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893