Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
Etkt9oJ08ZyhAlm.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Etkt9oJ08ZyhAlm.exe
Resource
win10v2004-20240802-en
General
-
Target
Etkt9oJ08ZyhAlm.exe
-
Size
910KB
-
MD5
e93b72986bdf1856a3f407cbb948b5dd
-
SHA1
3e546f719a8c752429382d7c78747bfe96ac6c42
-
SHA256
51aa6be003977c67c7eaf393b81af1e5ff9ad99850ce86ba7c3dafe7e12728c6
-
SHA512
7195283fdeec6479e6b0225a9ba3c95c430770173bf1148f1cd10f11a0183fe2082adf67849ceb2841f016bcf9af203268633295da8062ad18444a8b9c69ba9d
-
SSDEEP
24576:rBuYiVAVhw4b8TrquAD+xCyUpoPNOUEqgkQt+wUcVWVD:rBuYIgnbWrCD+xCyhVSdVi
Malware Config
Extracted
remcos
RemoteHost
192.3.243.155:7643
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-C9YEJ8
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2068 powershell.exe 2880 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Etkt9oJ08ZyhAlm.exedescription pid Process procid_target PID 2208 set thread context of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Etkt9oJ08ZyhAlm.exepowershell.exepowershell.exeschtasks.exeEtkt9oJ08ZyhAlm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Etkt9oJ08ZyhAlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Etkt9oJ08ZyhAlm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2068 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Etkt9oJ08ZyhAlm.exepid Process 2816 Etkt9oJ08ZyhAlm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Etkt9oJ08ZyhAlm.exedescription pid Process procid_target PID 2208 wrote to memory of 2068 2208 Etkt9oJ08ZyhAlm.exe 29 PID 2208 wrote to memory of 2068 2208 Etkt9oJ08ZyhAlm.exe 29 PID 2208 wrote to memory of 2068 2208 Etkt9oJ08ZyhAlm.exe 29 PID 2208 wrote to memory of 2068 2208 Etkt9oJ08ZyhAlm.exe 29 PID 2208 wrote to memory of 2880 2208 Etkt9oJ08ZyhAlm.exe 31 PID 2208 wrote to memory of 2880 2208 Etkt9oJ08ZyhAlm.exe 31 PID 2208 wrote to memory of 2880 2208 Etkt9oJ08ZyhAlm.exe 31 PID 2208 wrote to memory of 2880 2208 Etkt9oJ08ZyhAlm.exe 31 PID 2208 wrote to memory of 2796 2208 Etkt9oJ08ZyhAlm.exe 32 PID 2208 wrote to memory of 2796 2208 Etkt9oJ08ZyhAlm.exe 32 PID 2208 wrote to memory of 2796 2208 Etkt9oJ08ZyhAlm.exe 32 PID 2208 wrote to memory of 2796 2208 Etkt9oJ08ZyhAlm.exe 32 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35 PID 2208 wrote to memory of 2816 2208 Etkt9oJ08ZyhAlm.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Etkt9oJ08ZyhAlm.exe"C:\Users\Admin\AppData\Local\Temp\Etkt9oJ08ZyhAlm.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Etkt9oJ08ZyhAlm.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kFkVqvIpoatJkA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kFkVqvIpoatJkA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\Etkt9oJ08ZyhAlm.exe"C:\Users\Admin\AppData\Local\Temp\Etkt9oJ08ZyhAlm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5ec7d6baf13657897e17554d5bf73cdd5
SHA10e2498172eecdde61ec79c43e96d9a215973e598
SHA256594bf21f353e04e7c2275f1f0784ecba8486cbf8446184a04dfd276ef7b04301
SHA51260e7b5fab26b81abf0780d0bf219031830f480aa6d4338cf462c8623d3cca74798e8d7b580f2e584e6e3ce26b3f9e1f5accd3dd4502a74aa1f89663e4fb9b5c9
-
Filesize
1KB
MD5f2ca1a153462a0b973d7c326bfdc8c85
SHA15533cee0ebdcf401bb0559ac093906a8f50e85e3
SHA25676272f3d0ef21313c44ea034d213cbb437334723cf018b5ebab7effb218d50b1
SHA51259ca2b59c1d7f98f9aae03ca7518fdd91b8f4cc291e4659b713fd8184940ee6549295d57dcd9fe7477b73a1250ca045b221fd3c486dc9539e580a09f2cd0414d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5499a27bd5055a40ed8fbb11fd5f4c175
SHA16415caf276fcc63d2e35b5dcdd133f0b47d11039
SHA2563bc32b41b98676dd9825659e2b41e1ec80f4e7ba458de0b8716cb9db467d84a8
SHA512311cd0e4b1e358133ee8e7311aa159937d7ea6337f5ecd18182d81f45d9bc0140de9dfd92ad6c2c294cb93be70fc0e6d53590d7b860483492080710dd2318fc8