Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
HDEBERTAD3423.exe
Resource
win7-20240705-en
General
-
Target
HDEBERTAD3423.exe
-
Size
1.0MB
-
MD5
7f409fdbf293c9c3ce17a1e540739e24
-
SHA1
ae25b94e4e8c95a5439947b195b1bd2d2f07fa7a
-
SHA256
52183f225975e6fa1a0c7f7917d43911deccf1375e4defa83852d06cb39c5d61
-
SHA512
1ff2d45f978b3d5b67e7dfdb717abcb6a2fc745feeade7308a6798baf8e0f9509078f9b4ff4ea7431184fa31b01fc26a8c0af6981d098849cc9c4743d4b17b58
-
SSDEEP
12288:WurSY+aZrwrmN+wYku7+yY++DSYOfGrT2LcdgrVrvFuVCJVuH71vilSeM93g:p/4rmNNtmY8YORwiPuVCnuH7hwm93
Malware Config
Extracted
remcos
BAREATA
94.156.69.174:7459
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7AD3IP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2152 powershell.exe 2824 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2352 set thread context of 2604 2352 HDEBERTAD3423.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HDEBERTAD3423.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HDEBERTAD3423.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2352 HDEBERTAD3423.exe 2352 HDEBERTAD3423.exe 2152 powershell.exe 2824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2352 HDEBERTAD3423.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2604 HDEBERTAD3423.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2152 2352 HDEBERTAD3423.exe 30 PID 2352 wrote to memory of 2152 2352 HDEBERTAD3423.exe 30 PID 2352 wrote to memory of 2152 2352 HDEBERTAD3423.exe 30 PID 2352 wrote to memory of 2152 2352 HDEBERTAD3423.exe 30 PID 2352 wrote to memory of 2824 2352 HDEBERTAD3423.exe 32 PID 2352 wrote to memory of 2824 2352 HDEBERTAD3423.exe 32 PID 2352 wrote to memory of 2824 2352 HDEBERTAD3423.exe 32 PID 2352 wrote to memory of 2824 2352 HDEBERTAD3423.exe 32 PID 2352 wrote to memory of 2728 2352 HDEBERTAD3423.exe 33 PID 2352 wrote to memory of 2728 2352 HDEBERTAD3423.exe 33 PID 2352 wrote to memory of 2728 2352 HDEBERTAD3423.exe 33 PID 2352 wrote to memory of 2728 2352 HDEBERTAD3423.exe 33 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36 PID 2352 wrote to memory of 2604 2352 HDEBERTAD3423.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\HDEBERTAD3423.exe"C:\Users\Admin\AppData\Local\Temp\HDEBERTAD3423.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HDEBERTAD3423.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AEDsxJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AEDsxJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5783.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\HDEBERTAD3423.exe"C:\Users\Admin\AppData\Local\Temp\HDEBERTAD3423.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50f572dc1e95faad909065b9f74ae18a5
SHA11979dc395580efc3143d3527ecae27c93690f668
SHA25644b8ea1e75b8d48bde9374cfe5ab2d4ec5828ddf890ec3d19d44ebd45fa206bf
SHA512fcb1d133bb98c5b4fd3d20ee2c691943f8d93ffba3a840e4313720e49e280e9884c2724eab2be92f7b43f96859df21d6c5336374c76dde0128d95eb4fb77c0b0
-
Filesize
1KB
MD5f4ec93dc7a7445dbf808308a54642adb
SHA15c9fa8ef734db6b64d4d78d6f4fe183c4e5d3462
SHA256ba89af16722b5d693b7ff32abf911d97f87ab1517a665fb55d965ec70d19610a
SHA51288aaf218626fe87574d42b9e046810b9da9900a8c9e931d5e0089ab1264913e604e368387e4b4f6d3caeff1dfa507aea7c4e927ca56dc1ecb58c2f52a0d2dacb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD58e16b85d815cfc25b60a2cbb8a0a3fe4
SHA13cadd13600fc866ad72403d063aafeb50a495a62
SHA256660a4084e2e30dbf6e2e8c5e7f0a1368d1bea314856b531b8fd17da322721678
SHA512c49ca17f4dddadf5dfbf3a199256686ed7fd7cce182e4c39b58e89410345da3cf4f127f7461ae93375be6ded00500e0bac95536f2d42255a15d72dff1e73d30f