Malware Analysis Report

2024-08-06 17:42

Sample ID 240620-c4eszaydpk
Target Operagx.bin
SHA256 88b9ba5dcd5d823a93ba2cf64d7644e991646d9e31686fca37d60862057f9e54
Tags
test remcos persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88b9ba5dcd5d823a93ba2cf64d7644e991646d9e31686fca37d60862057f9e54

Threat Level: Known bad

The file Operagx.bin was found to be: Known bad.

Malicious Activity Summary

test remcos persistence rat

Remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Remcos family

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 02:37

Signatures

Remcos family

remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 02:37

Reported

2024-06-20 02:40

Platform

win7-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Operagx.exe"

Signatures

Remcos

rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Calc = "\"C:\\Users\\Admin\\AppData\\Roaming\\system8\\Calc.exe\"" C:\Users\Admin\AppData\Local\Temp\Operagx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Calc = "\"C:\\Users\\Admin\\AppData\\Roaming\\system8\\Calc.exe\"" C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1940 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe
PID 1940 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe
PID 1940 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe
PID 1940 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Operagx.exe

"C:\Users\Admin\AppData\Local\Temp\Operagx.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\system8\Calc.exe

"C:\Users\Admin\AppData\Roaming\system8\Calc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp

Files

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 d223eb11fd8ec9a2ecd12696b0f298a3
SHA1 5dff732827edd42967171fe3f3ce7f8645715d4b
SHA256 a00ea6d7451bf64993e978242c3c550649586fbc9dfb82fca3e2efd73c6b0070
SHA512 b38a8c874682bcfddca37823a582e9b6a9f99b0aee62fd62c9863ad5d5c99fad2e0cbd74937207410de488bf629ff9c435fd163eb5bda4d3c987179af8a0b9bb

\Users\Admin\AppData\Roaming\system8\Calc.exe

MD5 338855fb71a903f1757fe495521b9592
SHA1 936ebddbcfdd3918261b235a6f1f964339c87aee
SHA256 88b9ba5dcd5d823a93ba2cf64d7644e991646d9e31686fca37d60862057f9e54
SHA512 384f7fcf215bbc67d71dec9777925524bfa9714a1aa1f17e90f02d229ab522d26191a46b1fe0c665f14c263b2d82144fe8aa53de870dca4788bb50a05f2af064

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 02:37

Reported

2024-06-20 02:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Operagx.exe"

Signatures

Remcos

rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Operagx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Calc = "\"C:\\Users\\Admin\\AppData\\Roaming\\system8\\Calc.exe\"" C:\Users\Admin\AppData\Local\Temp\Operagx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Calc = "\"C:\\Users\\Admin\\AppData\\Roaming\\system8\\Calc.exe\"" C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system8\Calc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\Operagx.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1848 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1848 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1848 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe
PID 1848 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe
PID 1848 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system8\Calc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Operagx.exe

"C:\Users\Admin\AppData\Local\Temp\Operagx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\system8\Calc.exe

"C:\Users\Admin\AppData\Roaming\system8\Calc.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4a0

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 0.tcp.ngrok.io udp

Files

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 d223eb11fd8ec9a2ecd12696b0f298a3
SHA1 5dff732827edd42967171fe3f3ce7f8645715d4b
SHA256 a00ea6d7451bf64993e978242c3c550649586fbc9dfb82fca3e2efd73c6b0070
SHA512 b38a8c874682bcfddca37823a582e9b6a9f99b0aee62fd62c9863ad5d5c99fad2e0cbd74937207410de488bf629ff9c435fd163eb5bda4d3c987179af8a0b9bb

C:\Users\Admin\AppData\Roaming\system8\Calc.exe

MD5 338855fb71a903f1757fe495521b9592
SHA1 936ebddbcfdd3918261b235a6f1f964339c87aee
SHA256 88b9ba5dcd5d823a93ba2cf64d7644e991646d9e31686fca37d60862057f9e54
SHA512 384f7fcf215bbc67d71dec9777925524bfa9714a1aa1f17e90f02d229ab522d26191a46b1fe0c665f14c263b2d82144fe8aa53de870dca4788bb50a05f2af064