Analysis
-
max time kernel
1049s -
max time network
1036s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 21:03
Behavioral task
behavioral1
Sample
idk.exe
Resource
win10v2004-20240802-en
General
-
Target
idk.exe
-
Size
483KB
-
MD5
783b3ecb43e1e04cac88e273c7ad2753
-
SHA1
4df53206d490af68c1352091ba7a51fbe6d23139
-
SHA256
dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
-
SHA512
cc5b563719391acf3a3c54d4ad527e59a0181f57d51a4fc97e7a3a19372392cfa98710f61962844948565e150b92ebf37b2710e30455506d11cfeb174986309b
-
SSDEEP
6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrzT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBkT4
Malware Config
Extracted
remcos
RemoteHost
k-peterson.gl.at.ply.gg:64076
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows.exe
-
copy_folder
Windows
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HIITQK
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
idk.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation idk.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid Process 2856 Windows.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
idk.exeWindows.exeiexplore.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" idk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" idk.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
idk.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe idk.exe File opened for modification C:\Windows\SysWOW64\Windows idk.exe File created C:\Windows\SysWOW64\Windows\Windows.exe idk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows.exeiexplore.exedescription pid Process procid_target PID 2856 set thread context of 2160 2856 Windows.exe 93 PID 2160 set thread context of 3520 2160 iexplore.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exeWindows.execmd.execmd.exereg.exeidk.execmd.exeiexplore.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language idk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 1 IoCs
Processes:
idk.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ idk.exe -
Modifies registry key 1 TTPs 3 IoCs
Processes:
reg.exereg.exereg.exepid Process 1060 reg.exe 884 reg.exe 1516 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Windows.exepid Process 2856 Windows.exe 2856 Windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid Process 2160 iexplore.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Windows.exeiexplore.exepid Process 2856 Windows.exe 2160 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid Process 2160 iexplore.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
idk.execmd.exeWindows.exeiexplore.execmd.execmd.exedescription pid Process procid_target PID 4108 wrote to memory of 1992 4108 idk.exe 84 PID 4108 wrote to memory of 1992 4108 idk.exe 84 PID 4108 wrote to memory of 1992 4108 idk.exe 84 PID 1992 wrote to memory of 1060 1992 cmd.exe 86 PID 1992 wrote to memory of 1060 1992 cmd.exe 86 PID 1992 wrote to memory of 1060 1992 cmd.exe 86 PID 4108 wrote to memory of 2856 4108 idk.exe 90 PID 4108 wrote to memory of 2856 4108 idk.exe 90 PID 4108 wrote to memory of 2856 4108 idk.exe 90 PID 2856 wrote to memory of 316 2856 Windows.exe 91 PID 2856 wrote to memory of 316 2856 Windows.exe 91 PID 2856 wrote to memory of 316 2856 Windows.exe 91 PID 2856 wrote to memory of 2160 2856 Windows.exe 93 PID 2856 wrote to memory of 2160 2856 Windows.exe 93 PID 2856 wrote to memory of 2160 2856 Windows.exe 93 PID 2856 wrote to memory of 2160 2856 Windows.exe 93 PID 2160 wrote to memory of 3952 2160 iexplore.exe 94 PID 2160 wrote to memory of 3952 2160 iexplore.exe 94 PID 2160 wrote to memory of 3952 2160 iexplore.exe 94 PID 2160 wrote to memory of 3520 2160 iexplore.exe 96 PID 2160 wrote to memory of 3520 2160 iexplore.exe 96 PID 2160 wrote to memory of 3520 2160 iexplore.exe 96 PID 2160 wrote to memory of 3520 2160 iexplore.exe 96 PID 316 wrote to memory of 884 316 cmd.exe 97 PID 316 wrote to memory of 884 316 cmd.exe 97 PID 316 wrote to memory of 884 316 cmd.exe 97 PID 3952 wrote to memory of 1516 3952 cmd.exe 98 PID 3952 wrote to memory of 1516 3952 cmd.exe 98 PID 3952 wrote to memory of 1516 3952 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\idk.exe"C:\Users\Admin\AppData\Local\Temp\idk.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1060
-
-
-
C:\Windows\SysWOW64\Windows\Windows.exe"C:\Windows\SysWOW64\Windows\Windows.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:884
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1516
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:3520
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5a68c17cb4182ba7393c1985f5eb11c4c
SHA1206e49f389defdc9382649a3583105bebfbc815a
SHA25656a1f9c5943ae7be7edfc049f1e5da92e626dcc5beeb528e730b720c06f593a6
SHA5123d114e8a734ff30c515ac1d443125cbd2088bc581c06f645c33e98e686aff73873d444aed8fef6562e1264fd247226b2780038059e10e40f4074a22ae19f2c32
-
Filesize
310B
MD58bc72116708a80776d2d349e9e1ec6ab
SHA1a96df3b24b8dee6776098bfd81e030ca589da5ab
SHA25613f6e504c34399aa78b92fc003845b229fcf091e1315b4542c21ba9a4532851b
SHA51200447ab975ae8aed2bfa0eb018aaf7273f6028379b520a21694084485eefc5242b2ad04ba5e0c1db30ccb353fa6f36c1e068117e9c8be1671b335768b936880f
-
Filesize
483KB
MD5783b3ecb43e1e04cac88e273c7ad2753
SHA14df53206d490af68c1352091ba7a51fbe6d23139
SHA256dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
SHA512cc5b563719391acf3a3c54d4ad527e59a0181f57d51a4fc97e7a3a19372392cfa98710f61962844948565e150b92ebf37b2710e30455506d11cfeb174986309b