Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 08:10
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
15.4MB
-
MD5
14729cf354a2bcd9a764ea35732b2ebc
-
SHA1
de5ab85e0531ffc7dcbde2dfa37111e90e212396
-
SHA256
1bfbe3e1ad1988b74e65a9675a05c796d71fa728440afbcccc7afd12c92104ef
-
SHA512
9c7754e704a5b594e1d48e69b08c489342c64e9ae34616661c04d376651308b60ccb38c48f474191ff897e96019873d078a422d312b92e9dac4b9312b7ae82fb
-
SSDEEP
393216:84uckLcEl+yYTUKIKF4rBQQeOwR9Erj9vjNiDkN9UPZHw9C:DEcEsyHfbAvCRvBiD2fC
Malware Config
Extracted
remcos
RemoteHost
5.253.86.233:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TNTD7F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
MalwareBazaar.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MalwareBazaar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MalwareBazaar.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
oks.exeMalwareBazaar.exe651.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation oks.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation MalwareBazaar.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 651.exe -
Executes dropped EXE 4 IoCs
Processes:
651.exeoks.exeSTART.EXESTART.EXEpid process 2332 651.exe 3076 oks.exe 432 START.EXE 2420 START.EXE -
Loads dropped DLL 1 IoCs
Processes:
START.EXEpid process 432 START.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*madrePuta = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeUpdater.dll,EntryPoint" reg.exe -
Processes:
MalwareBazaar.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MalwareBazaar.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
START.EXEpid process 432 START.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MalwareBazaar.exeoks.exeNOTEPAD.EXESTART.EXESTART.EXEcmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language START.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language START.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 1 IoCs
Processes:
oks.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings oks.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3996 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
MalwareBazaar.exe651.exeoks.exeSTART.EXEcmd.exedescription pid process target process PID 3324 wrote to memory of 2332 3324 MalwareBazaar.exe 651.exe PID 3324 wrote to memory of 2332 3324 MalwareBazaar.exe 651.exe PID 2332 wrote to memory of 3076 2332 651.exe oks.exe PID 2332 wrote to memory of 3076 2332 651.exe oks.exe PID 2332 wrote to memory of 3076 2332 651.exe oks.exe PID 3076 wrote to memory of 3996 3076 oks.exe NOTEPAD.EXE PID 3076 wrote to memory of 3996 3076 oks.exe NOTEPAD.EXE PID 3076 wrote to memory of 3996 3076 oks.exe NOTEPAD.EXE PID 3076 wrote to memory of 432 3076 oks.exe START.EXE PID 3076 wrote to memory of 432 3076 oks.exe START.EXE PID 3076 wrote to memory of 432 3076 oks.exe START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 2420 432 START.EXE START.EXE PID 432 wrote to memory of 768 432 START.EXE cmd.exe PID 432 wrote to memory of 768 432 START.EXE cmd.exe PID 432 wrote to memory of 768 432 START.EXE cmd.exe PID 768 wrote to memory of 4680 768 cmd.exe reg.exe PID 768 wrote to memory of 4680 768 cmd.exe reg.exe PID 768 wrote to memory of 4680 768 cmd.exe reg.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
MalwareBazaar.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System MalwareBazaar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MalwareBazaar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MalwareBazaar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\651\651.exe"C:\Users\Admin\AppData\Local\Temp\651\651.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\oks.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\1040.INF4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3996 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Roaming\START.EXE"C:\Users\Admin\AppData\Roaming\START.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*madrePuta" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeUpdater.dll",EntryPoint /f6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4680
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD5186b6bf2fd5d1f3608f8c568a33aba2b
SHA103ac334f463e4125f0498cbe3a017c4e0dc9eec3
SHA25682155ffb1e678544d90c4d3e7973029fa44936edc52e41bd99f22a51846e7755
SHA5121bede595abf9ba44b0160f07a5a5b4de26b4dce9b5590c45af071d3d11565a92781356d12e127f732d1814f3b64feb8fc8e9e5d7366eee954cd450a919e9e9d3
-
Filesize
1.6MB
MD58fefb5372a86943f8468f348df360a3e
SHA1df18d766996b41e5fd678cdbb319b97fd1ca58b4
SHA256a75db91dc62805ba25ce77ada06a10c6e202e698141f0673936342b3956ad734
SHA512e9747d64401828db590093550f05c7014ae417025959925d29983fbd8b219cb733febb83926fcd90f07213fb2e69d582f3837e5321e809c08760710e950510cf
-
Filesize
2.8MB
MD50a59ba1ec5a791c0891678f3ac02852a
SHA1fa03a911a3bd61ecd1b0ddd002ba12b629481eab
SHA256334965e87da4a0cc19e62a7a773fdc7a23013162196e242690377ecb315549c0
SHA512c8d366c32dd54ea7abe37332fa00dba3e94851ffedc295b828717e66e4cf0a2e012cf17a72c4a2d66d56cd2d0e0a3efc47fef36f4232a95a2095986fc40ba6f2