Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
FTE98767800000.bat.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FTE98767800000.bat.exe
Resource
win10v2004-20240802-en
General
-
Target
FTE98767800000.bat.exe
-
Size
1.4MB
-
MD5
e418c8ddea38739c5fa4e6ee469ffd47
-
SHA1
52ee59d5c7d3768056ac7809aea362e8adbeaa74
-
SHA256
8fcca28a02a116ed9c02bfdcbe3bfb47206592110805aaeda4ad5c55aba82a74
-
SHA512
3879b2ff0821511222cd9de8dc369037df52f655c2be937c4499cd9006049ed3a671c6ccd33f0adfa499aec935e14e388449574b5f282e6f5a230993b9192128
-
SSDEEP
12288:0EOm/U97V194bWub1V5jdJislsmq/aWPNUEFkWsnFvM1XcCDB6iCuIgWPm3A5kIo:m9B19g5V5nxsmqaWPaEXsnfCPu6BH
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Q4NYK2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1828-64-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2920-68-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2908-63-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FTE98767800000.bat.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2908-63-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1828-64-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2792 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools FTE98767800000.bat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FTE98767800000.bat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FTE98767800000.bat.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FTE98767800000.bat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum FTE98767800000.bat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 FTE98767800000.bat.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2384 set thread context of 3016 2384 FTE98767800000.bat.exe 35 PID 3016 set thread context of 1828 3016 wab.exe 38 PID 3016 set thread context of 2908 3016 wab.exe 39 PID 3016 set thread context of 2920 3016 wab.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe -
Runs regedit.exe 1 IoCs
pid Process 2832 regedit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2792 powershell.exe 1828 wab.exe 1828 wab.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3016 wab.exe 3016 wab.exe 3016 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2920 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3016 wab.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2792 2384 FTE98767800000.bat.exe 32 PID 2384 wrote to memory of 2792 2384 FTE98767800000.bat.exe 32 PID 2384 wrote to memory of 2792 2384 FTE98767800000.bat.exe 32 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 2832 2384 FTE98767800000.bat.exe 34 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 3016 2384 FTE98767800000.bat.exe 35 PID 2384 wrote to memory of 2624 2384 FTE98767800000.bat.exe 36 PID 2384 wrote to memory of 2624 2384 FTE98767800000.bat.exe 36 PID 2384 wrote to memory of 2624 2384 FTE98767800000.bat.exe 36 PID 3016 wrote to memory of 1828 3016 wab.exe 38 PID 3016 wrote to memory of 1828 3016 wab.exe 38 PID 3016 wrote to memory of 1828 3016 wab.exe 38 PID 3016 wrote to memory of 1828 3016 wab.exe 38 PID 3016 wrote to memory of 1828 3016 wab.exe 38 PID 3016 wrote to memory of 2908 3016 wab.exe 39 PID 3016 wrote to memory of 2908 3016 wab.exe 39 PID 3016 wrote to memory of 2908 3016 wab.exe 39 PID 3016 wrote to memory of 2908 3016 wab.exe 39 PID 3016 wrote to memory of 2908 3016 wab.exe 39 PID 3016 wrote to memory of 2920 3016 wab.exe 40 PID 3016 wrote to memory of 2920 3016 wab.exe 40 PID 3016 wrote to memory of 2920 3016 wab.exe 40 PID 3016 wrote to memory of 2920 3016 wab.exe 40 PID 3016 wrote to memory of 2920 3016 wab.exe 40 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe"C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
PID:2832
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gvezwavqzkkpblbsamzughex"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jprswkfknsccdrpwjxmvjuyodjsb"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\trwcxdqljauhnxlatizpuzlwmqjcekq"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2384 -s 8242⤵PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5da7ca21d252bf5192430f5333c957003
SHA11da05775454c4797e4d2b56683a75f3c49059492
SHA25668b37c1a528b774d736ad9f864b9b2b1d4f177ed93973393427e28401036fb1e
SHA512d265a9448ded050f7c99aa70e4b3a99c805f82d59299911d21b9626a3ad5da7ed86a62fe4a4e7f4b1d264222b3a20435a2098f3b4049d272a88bb0acb9f66716
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84