Resubmissions
14-08-2024 15:23
240814-ssramazbkg 10General
-
Target
Updater.exe
-
Size
483KB
-
Sample
240814-ssramazbkg
-
MD5
2e2946dbb102329c2b7ea3a6bc6d928e
-
SHA1
f71e23604985c52f609a8eaa1f907b6cf1311bbe
-
SHA256
4311ee23e9f4cb3432d3b0a5a78b020f89494063ba1d870298f2117970879e37
-
SHA512
60ab3f9a07d86dcdf37e2823d2f140f28dcd2b6120821703db1eadd2ed8ab34aea6abeb5cc6e54426374f6e780a2d9014dbd1a9d353cbb1d6ccd077e58ce57da
-
SSDEEP
6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrbT4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZBIT4
Behavioral task
behavioral1
Sample
Updater.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Updater.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
mode-clusters.gl.at.ply.gg:36304
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
$77-Installer
-
copy_folder
Remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YXZARA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Updater.exe
-
Size
483KB
-
MD5
2e2946dbb102329c2b7ea3a6bc6d928e
-
SHA1
f71e23604985c52f609a8eaa1f907b6cf1311bbe
-
SHA256
4311ee23e9f4cb3432d3b0a5a78b020f89494063ba1d870298f2117970879e37
-
SHA512
60ab3f9a07d86dcdf37e2823d2f140f28dcd2b6120821703db1eadd2ed8ab34aea6abeb5cc6e54426374f6e780a2d9014dbd1a9d353cbb1d6ccd077e58ce57da
-
SSDEEP
6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrbT4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZBIT4
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4