Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 22:56
Behavioral task
behavioral1
Sample
ImageLogger.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ImageLogger.exe
Resource
win10v2004-20240802-en
General
-
Target
ImageLogger.exe
-
Size
483KB
-
MD5
3bb489034bbe5a50f866a3b4257d8efc
-
SHA1
ac7b71c48cb0bcd81db38afb5f88eb196fc55c6d
-
SHA256
b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c
-
SHA512
827f669d0bee715bf49ef0e50bc7689eb1e78408df60d79ed720bb0e8444daca89bd4f0396202394a5b01e2efa8511838d7aad1af70609c47b859ff8d688f566
-
SSDEEP
6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccr2T4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZBhT4
Malware Config
Extracted
remcos
RemoteHost
software-julia.gl.at.ply.gg:17106
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows.exe
-
copy_folder
Windows
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-H2REJ9
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid Process 2784 Windows.exe -
Loads dropped DLL 2 IoCs
Processes:
ImageLogger.exepid Process 1940 ImageLogger.exe 1940 ImageLogger.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
iexplore.exeImageLogger.exeWindows.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" ImageLogger.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" ImageLogger.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows.exeiexplore.exedescription pid Process procid_target PID 2784 set thread context of 3040 2784 Windows.exe 35 PID 3040 set thread context of 2892 3040 iexplore.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exeImageLogger.execmd.exereg.exeiexplore.exereg.exeWindows.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ImageLogger.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 3 IoCs
Processes:
reg.exereg.exereg.exepid Process 2180 reg.exe 2900 reg.exe 2576 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows.exepid Process 2784 Windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid Process 3040 iexplore.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Windows.exeiexplore.exepid Process 2784 Windows.exe 3040 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid Process 3040 iexplore.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ImageLogger.execmd.exeWindows.execmd.exeiexplore.execmd.exedescription pid Process procid_target PID 1940 wrote to memory of 3024 1940 ImageLogger.exe 30 PID 1940 wrote to memory of 3024 1940 ImageLogger.exe 30 PID 1940 wrote to memory of 3024 1940 ImageLogger.exe 30 PID 1940 wrote to memory of 3024 1940 ImageLogger.exe 30 PID 3024 wrote to memory of 2180 3024 cmd.exe 32 PID 3024 wrote to memory of 2180 3024 cmd.exe 32 PID 3024 wrote to memory of 2180 3024 cmd.exe 32 PID 3024 wrote to memory of 2180 3024 cmd.exe 32 PID 1940 wrote to memory of 2784 1940 ImageLogger.exe 33 PID 1940 wrote to memory of 2784 1940 ImageLogger.exe 33 PID 1940 wrote to memory of 2784 1940 ImageLogger.exe 33 PID 1940 wrote to memory of 2784 1940 ImageLogger.exe 33 PID 2784 wrote to memory of 2736 2784 Windows.exe 34 PID 2784 wrote to memory of 2736 2784 Windows.exe 34 PID 2784 wrote to memory of 2736 2784 Windows.exe 34 PID 2784 wrote to memory of 2736 2784 Windows.exe 34 PID 2784 wrote to memory of 3040 2784 Windows.exe 35 PID 2784 wrote to memory of 3040 2784 Windows.exe 35 PID 2784 wrote to memory of 3040 2784 Windows.exe 35 PID 2784 wrote to memory of 3040 2784 Windows.exe 35 PID 2784 wrote to memory of 3040 2784 Windows.exe 35 PID 2736 wrote to memory of 2900 2736 cmd.exe 37 PID 2736 wrote to memory of 2900 2736 cmd.exe 37 PID 2736 wrote to memory of 2900 2736 cmd.exe 37 PID 2736 wrote to memory of 2900 2736 cmd.exe 37 PID 3040 wrote to memory of 2348 3040 iexplore.exe 38 PID 3040 wrote to memory of 2348 3040 iexplore.exe 38 PID 3040 wrote to memory of 2348 3040 iexplore.exe 38 PID 3040 wrote to memory of 2348 3040 iexplore.exe 38 PID 3040 wrote to memory of 2892 3040 iexplore.exe 40 PID 3040 wrote to memory of 2892 3040 iexplore.exe 40 PID 3040 wrote to memory of 2892 3040 iexplore.exe 40 PID 3040 wrote to memory of 2892 3040 iexplore.exe 40 PID 3040 wrote to memory of 2892 3040 iexplore.exe 40 PID 2348 wrote to memory of 2576 2348 cmd.exe 41 PID 2348 wrote to memory of 2576 2348 cmd.exe 41 PID 2348 wrote to memory of 2576 2348 cmd.exe 41 PID 2348 wrote to memory of 2576 2348 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2180
-
-
-
C:\ProgramData\Windows\Windows.exe"C:\ProgramData\Windows\Windows.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2900
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2576
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2892
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5704ce0b10b342580f9a8cc53eceaab2c
SHA11315ded969bdcf8ffe27bef3c784ce07e41b24e0
SHA2563017ed19ac049aab43e8ea2018d979a30f0f0896f4fd4e83d6ed5d04ae837828
SHA512dcb4d9f3d995bedc7b5095b6ca6d24b847833b5f9d5b0a90d01b4e19385fa1cf4b77f5913b76483004492f9e339e83105d736e4b762990cedadd8df1aba4c89d
-
Filesize
483KB
MD53bb489034bbe5a50f866a3b4257d8efc
SHA1ac7b71c48cb0bcd81db38afb5f88eb196fc55c6d
SHA256b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c
SHA512827f669d0bee715bf49ef0e50bc7689eb1e78408df60d79ed720bb0e8444daca89bd4f0396202394a5b01e2efa8511838d7aad1af70609c47b859ff8d688f566