Malware Analysis Report

2024-12-07 22:14

Sample ID 240806-g8qs9asakk
Target incognito.zip
SHA256 06a221807fe4909575987be289333ffc926b851951ebb2b4270b767ab3258cc8
Tags
remotehost remcos discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06a221807fe4909575987be289333ffc926b851951ebb2b4270b767ab3258cc8

Threat Level: Known bad

The file incognito.zip was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery

Remcos family

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 06:28

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 06:28

Reported

2024-08-06 06:31

Platform

win11-20240802-en

Max time kernel

142s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe

"C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc

C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe

"C:\Users\Admin\AppData\Local\Temp\incognito\incognito.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.6:8888 tcp
N/A 192.168.1.6:8888 tcp
GB 104.86.110.113:443 tcp
GB 104.86.110.113:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 92.123.142.186:443 r.bing.com tcp
GB 92.123.142.186:443 r.bing.com tcp
GB 92.123.142.186:443 r.bing.com tcp
GB 92.123.142.186:443 r.bing.com tcp
GB 92.123.142.186:443 r.bing.com tcp
GB 92.123.142.186:443 r.bing.com tcp
US 52.168.112.66:443 browser.pipe.aria.microsoft.com tcp
N/A 192.168.1.6:8888 tcp

Files

N/A