Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
939KB
-
MD5
3f69729a8f2b22e625bb984f28758ebc
-
SHA1
ab8aab5952dfcf0d705daff76448920c67b6241d
-
SHA256
d1b50fc6ce79320a88defef33baf6a51e30845bd13ab2b52f7925ba0b8f527cd
-
SHA512
c4622e82f66aa728ded76ef628bd31ddcd35581a10a6043e735e557a26c8f9c72c67713f29a3ed90f647bf268484b44cf812918a02aa8e1539c3fdac7bcc1fa1
-
SSDEEP
24576:Yglv8Jv17LLE1hUG+n1KD9Wa9PMEgDzx9mZREOUqqHXONlVUE:oPYf+n1KDghPx9ARDhqHXOR
Malware Config
Extracted
remcos
RemoteHost
204.10.160.230:7983
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-O7QOC3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2732 powershell.exe 2724 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2032 set thread context of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MalwareBazaar.exepowershell.exepowershell.exeschtasks.exeMalwareBazaar.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exepid process 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2032 MalwareBazaar.exe 2724 powershell.exe 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2032 MalwareBazaar.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2032 wrote to memory of 2732 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2732 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2732 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2732 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2724 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2724 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2724 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2724 2032 MalwareBazaar.exe powershell.exe PID 2032 wrote to memory of 2672 2032 MalwareBazaar.exe schtasks.exe PID 2032 wrote to memory of 2672 2032 MalwareBazaar.exe schtasks.exe PID 2032 wrote to memory of 2672 2032 MalwareBazaar.exe schtasks.exe PID 2032 wrote to memory of 2672 2032 MalwareBazaar.exe schtasks.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe PID 2032 wrote to memory of 2552 2032 MalwareBazaar.exe MalwareBazaar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HODoCxSdp.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2CDA.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dab58097bd4bf751342614363f7aeeb3
SHA1485885370b0ca7a056443baf171858262b096d8e
SHA25602c1e6b3974378fa11fa4b6dabfd98e86cce87c35394f9007c2040a7a3c6edbe
SHA51200a5f9c49e6e3c762bcd10232cd1b7fbc004c351ca0432410edd29218b149f201488d71640107b8b63db06261f3ed19b7d5646c1ccda5d435629aaf04b6f1244
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD547e6b5e5a53ca581e29e31e7b45a2777
SHA155616eb5ba2f557c07be57d9c6ca0d216702dc19
SHA256e47d53c17f9b7d55f6ad1cbd56b34ede89164398cad51cabd8f6972d72d1f0e6
SHA512c35a861f5cb70a69016605a86301fe22cde12fbde99fb23f82a1094f79ff59879457b853e817e19153eacae41aedfb441633b6aa7fdb1e4baf500ce5bdbde158