Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 21:05
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20240802-en
General
-
Target
new.exe
-
Size
483KB
-
MD5
ef2d8a16de6f9ecc5c53fd1fb3f5156a
-
SHA1
2646722bb3cff01dfd3276ef94be73ab0c065e4d
-
SHA256
c0655fbc9631b46f22ca1e61594e98e4ce4061e51a63ccae5d112ac74fa3ff6c
-
SHA512
8a4f6bd37d1e0161b11d8161c1f564f6cd7a1931beb74727a905eb408379189fecff1334201174eca7c422d32777f1baf169c45d8d90ab4cd11040d396b22446
-
SSDEEP
12288:QTlrYw1RUh3NFn+N5WfIQIjbs/ZBc/T4:gpRUh3NDfIQIjeZS
Malware Config
Extracted
remcos
RemoteHost
k-peterson.gl.at.ply.gg:64076
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows.exe
-
copy_folder
Windows
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3IZME9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
new.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation new.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid Process 4888 Windows.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
new.exeWindows.exeiexplore.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" new.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" new.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3IZME9 = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
new.exedescription ioc Process File created C:\Windows\SysWOW64\Windows\Windows.exe new.exe File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe new.exe File opened for modification C:\Windows\SysWOW64\Windows new.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows.exeiexplore.exedescription pid Process procid_target PID 4888 set thread context of 872 4888 Windows.exe 93 PID 872 set thread context of 4824 872 iexplore.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.execmd.exereg.exeWindows.execmd.exereg.exenew.exeiexplore.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language new.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
Processes:
new.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ new.exe -
Modifies registry key 1 TTPs 3 IoCs
Processes:
reg.exereg.exereg.exepid Process 456 reg.exe 2640 reg.exe 3848 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Windows.exepid Process 4888 Windows.exe 4888 Windows.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Windows.exeiexplore.exepid Process 4888 Windows.exe 872 iexplore.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
new.execmd.exeWindows.exeiexplore.execmd.execmd.exedescription pid Process procid_target PID 1828 wrote to memory of 3604 1828 new.exe 85 PID 1828 wrote to memory of 3604 1828 new.exe 85 PID 1828 wrote to memory of 3604 1828 new.exe 85 PID 3604 wrote to memory of 456 3604 cmd.exe 87 PID 3604 wrote to memory of 456 3604 cmd.exe 87 PID 3604 wrote to memory of 456 3604 cmd.exe 87 PID 1828 wrote to memory of 4888 1828 new.exe 89 PID 1828 wrote to memory of 4888 1828 new.exe 89 PID 1828 wrote to memory of 4888 1828 new.exe 89 PID 4888 wrote to memory of 4692 4888 Windows.exe 91 PID 4888 wrote to memory of 4692 4888 Windows.exe 91 PID 4888 wrote to memory of 4692 4888 Windows.exe 91 PID 4888 wrote to memory of 872 4888 Windows.exe 93 PID 4888 wrote to memory of 872 4888 Windows.exe 93 PID 4888 wrote to memory of 872 4888 Windows.exe 93 PID 4888 wrote to memory of 872 4888 Windows.exe 93 PID 872 wrote to memory of 2252 872 iexplore.exe 94 PID 872 wrote to memory of 2252 872 iexplore.exe 94 PID 872 wrote to memory of 2252 872 iexplore.exe 94 PID 872 wrote to memory of 4824 872 iexplore.exe 96 PID 872 wrote to memory of 4824 872 iexplore.exe 96 PID 872 wrote to memory of 4824 872 iexplore.exe 96 PID 872 wrote to memory of 4824 872 iexplore.exe 96 PID 4692 wrote to memory of 2640 4692 cmd.exe 97 PID 4692 wrote to memory of 2640 4692 cmd.exe 97 PID 4692 wrote to memory of 2640 4692 cmd.exe 97 PID 2252 wrote to memory of 3848 2252 cmd.exe 98 PID 2252 wrote to memory of 3848 2252 cmd.exe 98 PID 2252 wrote to memory of 3848 2252 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:456
-
-
-
C:\Windows\SysWOW64\Windows\Windows.exe"C:\Windows\SysWOW64\Windows\Windows.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2640
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3848
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:4824
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5ef2d8a16de6f9ecc5c53fd1fb3f5156a
SHA12646722bb3cff01dfd3276ef94be73ab0c065e4d
SHA256c0655fbc9631b46f22ca1e61594e98e4ce4061e51a63ccae5d112ac74fa3ff6c
SHA5128a4f6bd37d1e0161b11d8161c1f564f6cd7a1931beb74727a905eb408379189fecff1334201174eca7c422d32777f1baf169c45d8d90ab4cd11040d396b22446