Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 13:14
Behavioral task
behavioral1
Sample
virus.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
virus.exe
Resource
win10v2004-20240802-en
General
-
Target
virus.exe
-
Size
483KB
-
MD5
cbab80f7f17d6c3830a17d7fee29cd30
-
SHA1
701eb7c9e2b662728f23dfaa34e634f11847aad7
-
SHA256
eea9c58429ef1465aa760fada958b5d580e3ea0c2a40a7c11de9f5518f661706
-
SHA512
e5b0acbeadadb3e75e2b8aa4794ab5fabe41de92dabc46120c84c6e0000da55900eecd7d12f1bb1a392b0dc9dbcb1e97fa7bf54a8281e6ebb2ca100d2c91fb90
-
SSDEEP
6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrRT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBKT4
Malware Config
Extracted
remcos
RemoteHost
mode-clusters.gl.at.ply.gg:36304
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
$77-Update of anti root
-
copy_folder
WinDMRmanager
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-W4O1LZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run virus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe -
Deletes itself 1 IoCs
pid Process 2308 iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager iexplore.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2136 set thread context of 2308 2136 virus.exe 33 PID 2308 set thread context of 2772 2308 iexplore.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 588 reg.exe 2776 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2136 virus.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2136 virus.exe 2308 iexplore.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2340 2136 virus.exe 30 PID 2136 wrote to memory of 2340 2136 virus.exe 30 PID 2136 wrote to memory of 2340 2136 virus.exe 30 PID 2136 wrote to memory of 2340 2136 virus.exe 30 PID 2340 wrote to memory of 588 2340 cmd.exe 32 PID 2340 wrote to memory of 588 2340 cmd.exe 32 PID 2340 wrote to memory of 588 2340 cmd.exe 32 PID 2340 wrote to memory of 588 2340 cmd.exe 32 PID 2136 wrote to memory of 2308 2136 virus.exe 33 PID 2136 wrote to memory of 2308 2136 virus.exe 33 PID 2136 wrote to memory of 2308 2136 virus.exe 33 PID 2136 wrote to memory of 2308 2136 virus.exe 33 PID 2136 wrote to memory of 2308 2136 virus.exe 33 PID 2308 wrote to memory of 2084 2308 iexplore.exe 34 PID 2308 wrote to memory of 2084 2308 iexplore.exe 34 PID 2308 wrote to memory of 2084 2308 iexplore.exe 34 PID 2308 wrote to memory of 2084 2308 iexplore.exe 34 PID 2308 wrote to memory of 2772 2308 iexplore.exe 35 PID 2308 wrote to memory of 2772 2308 iexplore.exe 35 PID 2308 wrote to memory of 2772 2308 iexplore.exe 35 PID 2308 wrote to memory of 2772 2308 iexplore.exe 35 PID 2308 wrote to memory of 2772 2308 iexplore.exe 35 PID 2084 wrote to memory of 2776 2084 cmd.exe 37 PID 2084 wrote to memory of 2776 2084 cmd.exe 37 PID 2084 wrote to memory of 2776 2084 cmd.exe 37 PID 2084 wrote to memory of 2776 2084 cmd.exe 37 PID 2308 wrote to memory of 1772 2308 iexplore.exe 40 PID 2308 wrote to memory of 1772 2308 iexplore.exe 40 PID 2308 wrote to memory of 1772 2308 iexplore.exe 40 PID 2308 wrote to memory of 1772 2308 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:588
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"2⤵
- Adds policy Run key to start application
- Deletes itself
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2776
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2772
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msejiowubuxxeyjf.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:1772
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD5f9903a94c05461ef865cd21d06b63a2f
SHA1731f5328eb5461d1d6582f84ea1d7a3800e8758f
SHA256d7ae25d8fe5a9c3bc85077dd2f22c017df803084978cf4a4c48a1aad37898ec5
SHA512f1d8f1f63a6561119e7f1809e061ca8af05255da51e7f5ce6e08c3d8c91b3de117dc636d8c438add9895ed802ea105475d87f949a42d4598cea3305b56d415fe
-
Filesize
483KB
MD5cbab80f7f17d6c3830a17d7fee29cd30
SHA1701eb7c9e2b662728f23dfaa34e634f11847aad7
SHA256eea9c58429ef1465aa760fada958b5d580e3ea0c2a40a7c11de9f5518f661706
SHA512e5b0acbeadadb3e75e2b8aa4794ab5fabe41de92dabc46120c84c6e0000da55900eecd7d12f1bb1a392b0dc9dbcb1e97fa7bf54a8281e6ebb2ca100d2c91fb90