Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
14729cf354a2bcd9a764ea35732b2ebc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14729cf354a2bcd9a764ea35732b2ebc.exe
Resource
win10v2004-20240709-en
General
-
Target
14729cf354a2bcd9a764ea35732b2ebc.exe
-
Size
15.4MB
-
MD5
14729cf354a2bcd9a764ea35732b2ebc
-
SHA1
de5ab85e0531ffc7dcbde2dfa37111e90e212396
-
SHA256
1bfbe3e1ad1988b74e65a9675a05c796d71fa728440afbcccc7afd12c92104ef
-
SHA512
9c7754e704a5b594e1d48e69b08c489342c64e9ae34616661c04d376651308b60ccb38c48f474191ff897e96019873d078a422d312b92e9dac4b9312b7ae82fb
-
SSDEEP
393216:84uckLcEl+yYTUKIKF4rBQQeOwR9Erj9vjNiDkN9UPZHw9C:DEcEsyHfbAvCRvBiD2fC
Malware Config
Extracted
remcos
RemoteHost
5.253.86.233:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TNTD7F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exe651.exeoks.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 14729cf354a2bcd9a764ea35732b2ebc.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 651.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation oks.exe -
Executes dropped EXE 4 IoCs
Processes:
651.exeoks.exeSTART.EXESTART.EXEpid process 3376 651.exe 1236 oks.exe 2308 START.EXE 1512 START.EXE -
Loads dropped DLL 1 IoCs
Processes:
START.EXEpid process 2308 START.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*madrePuta = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeUpdater.dll,EntryPoint" reg.exe -
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
START.EXEpid process 2308 START.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exe14729cf354a2bcd9a764ea35732b2ebc.exeoks.exeNOTEPAD.EXESTART.EXESTART.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14729cf354a2bcd9a764ea35732b2ebc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language START.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language START.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
Processes:
oks.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings oks.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4196 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exe651.exeoks.exeSTART.EXEcmd.exedescription pid process target process PID 2576 wrote to memory of 3376 2576 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 2576 wrote to memory of 3376 2576 14729cf354a2bcd9a764ea35732b2ebc.exe 651.exe PID 3376 wrote to memory of 1236 3376 651.exe oks.exe PID 3376 wrote to memory of 1236 3376 651.exe oks.exe PID 3376 wrote to memory of 1236 3376 651.exe oks.exe PID 1236 wrote to memory of 4196 1236 oks.exe NOTEPAD.EXE PID 1236 wrote to memory of 4196 1236 oks.exe NOTEPAD.EXE PID 1236 wrote to memory of 4196 1236 oks.exe NOTEPAD.EXE PID 1236 wrote to memory of 2308 1236 oks.exe START.EXE PID 1236 wrote to memory of 2308 1236 oks.exe START.EXE PID 1236 wrote to memory of 2308 1236 oks.exe START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 1512 2308 START.EXE START.EXE PID 2308 wrote to memory of 3108 2308 START.EXE cmd.exe PID 2308 wrote to memory of 3108 2308 START.EXE cmd.exe PID 2308 wrote to memory of 3108 2308 START.EXE cmd.exe PID 3108 wrote to memory of 1552 3108 cmd.exe reg.exe PID 3108 wrote to memory of 1552 3108 cmd.exe reg.exe PID 3108 wrote to memory of 1552 3108 cmd.exe reg.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
14729cf354a2bcd9a764ea35732b2ebc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14729cf354a2bcd9a764ea35732b2ebc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14729cf354a2bcd9a764ea35732b2ebc.exe"C:\Users\Admin\AppData\Local\Temp\14729cf354a2bcd9a764ea35732b2ebc.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\651\651.exe"C:\Users\Admin\AppData\Local\Temp\651\651.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\1040.INF4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4196 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD5186b6bf2fd5d1f3608f8c568a33aba2b
SHA103ac334f463e4125f0498cbe3a017c4e0dc9eec3
SHA25682155ffb1e678544d90c4d3e7973029fa44936edc52e41bd99f22a51846e7755
SHA5121bede595abf9ba44b0160f07a5a5b4de26b4dce9b5590c45af071d3d11565a92781356d12e127f732d1814f3b64feb8fc8e9e5d7366eee954cd450a919e9e9d3
-
Filesize
1.6MB
MD58fefb5372a86943f8468f348df360a3e
SHA1df18d766996b41e5fd678cdbb319b97fd1ca58b4
SHA256a75db91dc62805ba25ce77ada06a10c6e202e698141f0673936342b3956ad734
SHA512e9747d64401828db590093550f05c7014ae417025959925d29983fbd8b219cb733febb83926fcd90f07213fb2e69d582f3837e5321e809c08760710e950510cf
-
Filesize
2.8MB
MD50a59ba1ec5a791c0891678f3ac02852a
SHA1fa03a911a3bd61ecd1b0ddd002ba12b629481eab
SHA256334965e87da4a0cc19e62a7a773fdc7a23013162196e242690377ecb315549c0
SHA512c8d366c32dd54ea7abe37332fa00dba3e94851ffedc295b828717e66e4cf0a2e012cf17a72c4a2d66d56cd2d0e0a3efc47fef36f4232a95a2095986fc40ba6f2