Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
14729cf354a2bcd9a764ea35732b2ebc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14729cf354a2bcd9a764ea35732b2ebc.exe
Resource
win10v2004-20240709-en
General
-
Target
14729cf354a2bcd9a764ea35732b2ebc.exe
-
Size
15.4MB
-
MD5
14729cf354a2bcd9a764ea35732b2ebc
-
SHA1
de5ab85e0531ffc7dcbde2dfa37111e90e212396
-
SHA256
1bfbe3e1ad1988b74e65a9675a05c796d71fa728440afbcccc7afd12c92104ef
-
SHA512
9c7754e704a5b594e1d48e69b08c489342c64e9ae34616661c04d376651308b60ccb38c48f474191ff897e96019873d078a422d312b92e9dac4b9312b7ae82fb
-
SSDEEP
393216:84uckLcEl+yYTUKIKF4rBQQeOwR9Erj9vjNiDkN9UPZHw9C:DEcEsyHfbAvCRvBiD2fC
Malware Config
Extracted
remcos
RemoteHost
5.253.86.233:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TNTD7F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe -
Executes dropped EXE 3 IoCs
Processes:
651.exeoks.exeSTART.EXEpid process 2172 651.exe 2984 oks.exe 1976 START.EXE -
Loads dropped DLL 9 IoCs
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exeoks.exeSTART.EXESTART.EXEWerFault.exepid process 2572 14729cf354a2bcd9a764ea35732b2ebc.exe 2984 oks.exe 1976 START.EXE 1400 START.EXE 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\*madrePuta = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeUpdater.dll,EntryPoint" reg.exe -
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
START.EXEpid process 1976 START.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exeoks.exeNOTEPAD.EXESTART.EXEcmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14729cf354a2bcd9a764ea35732b2ebc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language START.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2676 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exe651.exeoks.exeSTART.EXEcmd.exedescription pid process target process PID 2572 wrote to memory of 2172 2572 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 2572 wrote to memory of 2172 2572 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 2572 wrote to memory of 2172 2572 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 2572 wrote to memory of 2172 2572 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 2172 wrote to memory of 2984 2172 651.exe oks.exe PID 2172 wrote to memory of 2984 2172 651.exe oks.exe PID 2172 wrote to memory of 2984 2172 651.exe oks.exe PID 2172 wrote to memory of 2984 2172 651.exe oks.exe PID 2984 wrote to memory of 2676 2984 oks.exe NOTEPAD.EXE PID 2984 wrote to memory of 2676 2984 oks.exe NOTEPAD.EXE PID 2984 wrote to memory of 2676 2984 oks.exe NOTEPAD.EXE PID 2984 wrote to memory of 2676 2984 oks.exe NOTEPAD.EXE PID 2984 wrote to memory of 1976 2984 oks.exe START.EXE PID 2984 wrote to memory of 1976 2984 oks.exe START.EXE PID 2984 wrote to memory of 1976 2984 oks.exe START.EXE PID 2984 wrote to memory of 1976 2984 oks.exe START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 1400 1976 START.EXE START.EXE PID 1976 wrote to memory of 2352 1976 START.EXE cmd.exe PID 1976 wrote to memory of 2352 1976 START.EXE cmd.exe PID 1976 wrote to memory of 2352 1976 START.EXE cmd.exe PID 1976 wrote to memory of 2352 1976 START.EXE cmd.exe PID 2352 wrote to memory of 2432 2352 cmd.exe reg.exe PID 2352 wrote to memory of 2432 2352 cmd.exe reg.exe PID 2352 wrote to memory of 2432 2352 cmd.exe reg.exe PID 2352 wrote to memory of 2432 2352 cmd.exe reg.exe PID 2172 wrote to memory of 1840 2172 651.exe WerFault.exe PID 2172 wrote to memory of 1840 2172 651.exe WerFault.exe PID 2172 wrote to memory of 1840 2172 651.exe WerFault.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14729cf354a2bcd9a764ea35732b2ebc.exe"C:\Users\Admin\AppData\Local\Temp\14729cf354a2bcd9a764ea35732b2ebc.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\651\651.exe"C:\Users\Admin\AppData\Local\Temp\651\651.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\1040.INF4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2676 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"5⤵
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2172 -s 1603⤵
- Loads dropped DLL
PID:1840
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD50a59ba1ec5a791c0891678f3ac02852a
SHA1fa03a911a3bd61ecd1b0ddd002ba12b629481eab
SHA256334965e87da4a0cc19e62a7a773fdc7a23013162196e242690377ecb315549c0
SHA512c8d366c32dd54ea7abe37332fa00dba3e94851ffedc295b828717e66e4cf0a2e012cf17a72c4a2d66d56cd2d0e0a3efc47fef36f4232a95a2095986fc40ba6f2
-
Filesize
7.7MB
MD5186b6bf2fd5d1f3608f8c568a33aba2b
SHA103ac334f463e4125f0498cbe3a017c4e0dc9eec3
SHA25682155ffb1e678544d90c4d3e7973029fa44936edc52e41bd99f22a51846e7755
SHA5121bede595abf9ba44b0160f07a5a5b4de26b4dce9b5590c45af071d3d11565a92781356d12e127f732d1814f3b64feb8fc8e9e5d7366eee954cd450a919e9e9d3
-
Filesize
1.6MB
MD58fefb5372a86943f8468f348df360a3e
SHA1df18d766996b41e5fd678cdbb319b97fd1ca58b4
SHA256a75db91dc62805ba25ce77ada06a10c6e202e698141f0673936342b3956ad734
SHA512e9747d64401828db590093550f05c7014ae417025959925d29983fbd8b219cb733febb83926fcd90f07213fb2e69d582f3837e5321e809c08760710e950510cf