Analysis
-
max time kernel
126s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
Resource
win7-20240221-en
General
-
Target
44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
-
Size
6.9MB
-
MD5
4e5d4e845d8151e1763e1778c6802d21
-
SHA1
d825fab991db7e4b146341adde684e72909f3236
-
SHA256
44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e
-
SHA512
4d0656f6b18003416f6bfcab1c0a7664f30c4db723465f9f4f1a6f02c90dec2f794a177e422762538a93df49231d925b4a3d56c2defdac2af92a97830267f12a
-
SSDEEP
98304:6kUb1rBq5Pfr+u2ZwS0SwZFtv445NdaCT1hkNV95OTpLipdbN1BbkJ9J8OXzxHxz:6kWyKajZFt3VfT1YVX6+R4JHj+
Malware Config
Extracted
remcos
1.7 Pro
Dlscord
shall-someone.gl.at.ply.gg:60408
dead-reviewer.gl.at.ply.gg:60161
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
10
-
connect_interval
5
-
copy_file
Bin.exe
-
copy_folder
Factorio
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
driver.dat
-
keylog_flag
false
-
keylog_folder
keyboard drivers
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
remcos_bfpmypnbrt
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screen drivers
-
screenshot_path
%WinDir%\System32
-
screenshot_time
60
-
startup_value
Windows.Defender
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
Slugxquozdp.exeBin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Factorio\\Bin.exe\"" Slugxquozdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Factorio\\Bin.exe\"" Slugxquozdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Factorio\\Bin.exe\"" Bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Factorio\\Bin.exe\"" Bin.exe -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/852-70-0x0000000000400000-0x0000000000417000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Slugxquozdp.exeBin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Slugxquozdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Slugxquozdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Bin.exe -
Executes dropped EXE 6 IoCs
Processes:
Slugxquozdp.exeKbwdawuun.exeAtyanjlltndx.exeAtyanjlltndx.exeBin.exepid process 2876 Slugxquozdp.exe 2924 Kbwdawuun.exe 2900 Atyanjlltndx.exe 2864 Atyanjlltndx.exe 1360 Bin.exe 1144 -
Loads dropped DLL 8 IoCs
Processes:
44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exeAtyanjlltndx.exeAtyanjlltndx.execmd.exepid process 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe 2600 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe 2900 Atyanjlltndx.exe 2864 Atyanjlltndx.exe 2424 cmd.exe 2424 cmd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI29002\python311.dll upx behavioral1/memory/2864-64-0x000007FEEE880000-0x000007FEEEE69000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Slugxquozdp.exeBin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Slugxquozdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Slugxquozdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\"" Bin.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Slugxquozdp.exeBin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ Slugxquozdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ Bin.exe -
Drops file in System32 directory 4 IoCs
Processes:
iexplore.exedescription ioc process File created C:\Windows\SysWOW64\Screen drivers\0.dat iexplore.exe File opened for modification C:\Windows\SysWOW64\keyboard drivers\driver.dat iexplore.exe File created C:\Windows\SysWOW64\keyboard drivers\driver.dat iexplore.exe File opened for modification C:\Windows\SysWOW64\Screen drivers\0.png iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bin.exedescription pid process target process PID 1360 set thread context of 852 1360 Bin.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Bin.exepid process 1360 Bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 852 iexplore.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exeKbwdawuun.exeSlugxquozdp.exeAtyanjlltndx.execmd.exeBin.exedescription pid process target process PID 1948 wrote to memory of 2876 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Slugxquozdp.exe PID 1948 wrote to memory of 2876 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Slugxquozdp.exe PID 1948 wrote to memory of 2876 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Slugxquozdp.exe PID 1948 wrote to memory of 2876 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Slugxquozdp.exe PID 1948 wrote to memory of 2924 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Kbwdawuun.exe PID 1948 wrote to memory of 2924 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Kbwdawuun.exe PID 1948 wrote to memory of 2924 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Kbwdawuun.exe PID 2924 wrote to memory of 2492 2924 Kbwdawuun.exe cmd.exe PID 2924 wrote to memory of 2492 2924 Kbwdawuun.exe cmd.exe PID 2924 wrote to memory of 2492 2924 Kbwdawuun.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 2876 wrote to memory of 2424 2876 Slugxquozdp.exe cmd.exe PID 1948 wrote to memory of 2900 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Atyanjlltndx.exe PID 1948 wrote to memory of 2900 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Atyanjlltndx.exe PID 1948 wrote to memory of 2900 1948 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe Atyanjlltndx.exe PID 2900 wrote to memory of 2864 2900 Atyanjlltndx.exe Atyanjlltndx.exe PID 2900 wrote to memory of 2864 2900 Atyanjlltndx.exe Atyanjlltndx.exe PID 2900 wrote to memory of 2864 2900 Atyanjlltndx.exe Atyanjlltndx.exe PID 2424 wrote to memory of 2312 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 2312 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 2312 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 2312 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 1360 2424 cmd.exe Bin.exe PID 2424 wrote to memory of 1360 2424 cmd.exe Bin.exe PID 2424 wrote to memory of 1360 2424 cmd.exe Bin.exe PID 2424 wrote to memory of 1360 2424 cmd.exe Bin.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe PID 1360 wrote to memory of 852 1360 Bin.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe"C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe"C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe"2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Factorio\Bin.exe"C:\Factorio\Bin.exe"4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\16AC.tmp\16AD.tmp\16AE.bat C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\16AC.tmp\16AD.tmp\16AE.batFilesize
7KB
MD5924adee75529bce582ea2c9f503828a6
SHA1ba8ebd2b7d15d838e1eb6f8d32e4c386f747ced9
SHA256c65f92e2891313070846aa3144f60898c77be960c2a5fffd2ff4a65b70f08f0c
SHA512589158041fb7032c30aae85347c929a5cf1bfb04f4b2342a709a2de03d3c604f3a3a3a64b2af6c9b1e28f7b9e4bdda40b221fe652fae2aefef79c8c3f9a64508
-
C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exeFilesize
92KB
MD59b5c39b0c84da11eb9ae23d9c4b38c0e
SHA1b70605dd8cfd90ecd04e580406926ff2142e7abf
SHA256dc051fbc6610c4c0d6af4270460a26716b21155b16385febd4984122b1836e4c
SHA512ae9f9831504801fd0fbad0a7538587524130a7df6872c83e00b620f59eada65b818c26250c47b35334bca9426c9359dd1bd65139515e9db41e8050f1f832ac4d
-
C:\Users\Admin\AppData\Local\Temp\_MEI29002\python311.dllFilesize
1.6MB
MD55792adeab1e4414e0129ce7a228eb8b8
SHA1e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA2567e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
127B
MD50d88e0f91440c2d9e1d60be69d830217
SHA1ef1db80b7fc4eecd91a3dae8d3f1933b2dd4c08e
SHA256fa925c11ca705b46d8e233861aa86d29bd81cbe148b60afc94f49518ff5db030
SHA5127bf7794930c4cec95773c8a421ee750564a7bacd25399d7aab32eb54ea7dd3392330fc2520eaf69f0cb9a229f0b81555f3e05099167930e0ab379775c3f9329d
-
\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exeFilesize
6.9MB
MD52d07c38a7fe96e2e3beec83fd510b0b6
SHA18b4c5b3dece5154e3f30aa44223d9cdc693a39e4
SHA256d50a64d36d6f98c3dbdea314d420dbc016344087d6a0cd8201197d83f2fc4377
SHA5129cca2a02706ba9486b27dc594b59a47c5df427624969f1537f0f35b1212c32ff3cd629811abb4a425485573e5d93792c712d839c33ae775787be2386001b99a9
-
\Users\Admin\AppData\Local\Temp\Kbwdawuun.exeFilesize
129KB
MD566efe67d3c8f924223583a8130cc86bd
SHA1eff211f2398cc53c26a3dc4b4d1c32f7fd918d73
SHA25664d458cc5792715d89204c0be9d1c4bece43a56d159393a99a21d09f32f14df0
SHA5121359b6601fffc2428e05eda4d94ac9bb8c1ef4e7d1b0e45f4345708489dc54fc13a60a42d86e3e662b61845046e5260d4a3e94f749b7c0012ace5bc65629545b
-
memory/852-70-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1948-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmpFilesize
4KB
-
memory/1948-1-0x0000000000EE0000-0x00000000015CE000-memory.dmpFilesize
6.9MB
-
memory/1948-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmpFilesize
9.9MB
-
memory/1948-65-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmpFilesize
9.9MB
-
memory/2864-64-0x000007FEEE880000-0x000007FEEEE69000-memory.dmpFilesize
5.9MB