Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 00:57
Behavioral task
behavioral1
Sample
rem.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
rem.exe
Resource
win10v2004-20240508-en
General
-
Target
rem.exe
-
Size
483KB
-
MD5
06f5b8dffc6c138828adbc7f29cfc7f0
-
SHA1
b59ef5d613a1e49c7034c3ee05780ce054ca0054
-
SHA256
03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
-
SHA512
e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
-
SSDEEP
6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation rem.exe -
Executes dropped EXE 1 IoCs
Processes:
svcs.exepid process 936 svcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svcs.exerem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svcs.exepid process 936 svcs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rem.exedescription pid process target process PID 3128 wrote to memory of 936 3128 rem.exe svcs.exe PID 3128 wrote to memory of 936 3128 rem.exe svcs.exe PID 3128 wrote to memory of 936 3128 rem.exe svcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rem.exe"C:\Users\Admin\AppData\Local\Temp\rem.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logsa\logs.datFilesize
144B
MD5036e7aeb3b1bb378435411025d83114d
SHA18f23763f88ef345dc16dfd303e7684126be73e14
SHA256a1806eddd4c8f2e3eb3e3c07da303be54a55ba2c159b246d888ba703c18a0bbe
SHA5122bf335bbccfd0bee7344f7622b717a29c1ee0d4bd97b051275e790879034a523e3294cc04970da80adf438b4c634df35234500cd75927d17eb617c81c0172a7e
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exeFilesize
483KB
MD506f5b8dffc6c138828adbc7f29cfc7f0
SHA1b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA25603ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893