Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 07:42
Behavioral task
behavioral1
Sample
rem.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
rem.exe
Resource
win10v2004-20240508-en
General
-
Target
rem.exe
-
Size
483KB
-
MD5
06f5b8dffc6c138828adbc7f29cfc7f0
-
SHA1
b59ef5d613a1e49c7034c3ee05780ce054ca0054
-
SHA256
03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
-
SHA512
e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
-
SSDEEP
6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation rem.exe -
Executes dropped EXE 1 IoCs
Processes:
svcs.exepid process 3916 svcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svcs.exerem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svcs.exepid process 3916 svcs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rem.exedescription pid process target process PID 1180 wrote to memory of 3916 1180 rem.exe svcs.exe PID 1180 wrote to memory of 3916 1180 rem.exe svcs.exe PID 1180 wrote to memory of 3916 1180 rem.exe svcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rem.exe"C:\Users\Admin\AppData\Local\Temp\rem.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logsa\logs.datFilesize
144B
MD5ca4dc90d1714ab31e59b47190e5c13a2
SHA110d78330935e2185d1d3d0dde3a2e8b35f1a1b66
SHA25614da46408cc4bdd64af2f5bb9ad74e331bcadba5ce329f3b58326e0074af5f5c
SHA5121f78ed13aa22b4e00eaee3ac91693667bff0028d77d9fc6fb6c9dcad5960b0c53062df35f5d25b106504bf4f8cda07c7d4530c788b414f5f4691b6ecc1234bde
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exeFilesize
483KB
MD506f5b8dffc6c138828adbc7f29cfc7f0
SHA1b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA25603ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893